Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Gilis
Advisor

R80.30 VSX 3.10 IPS update failure on secondary member

I've deployed new 26000T appliances running R80.30 3.10 and the latest hotfix in VSX mode (SMS).

Some VS have a variety of security blades enabled but all have at least IPS. I've noticed all secondary members VS are reporting an error on the IPS blade specifically with the following message:

Error: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings.

 

Other security blade like Anti-Virus and Anti-Bot are not complaining and are green in both members with a successful update status and versioning.

If I VSLS some VS to the second member, the issue remains for IPS only but with cluster members inverted.

Of course, this means I have all my VS in red in the Smart Console.

I've followed sk43807 but none of the solutions work. Everything runs on R80.30 with the latest GA Take (140).

As it's only happening with IPS updates, I believe it's linked to some specific configuration bits but for now I've been unable to solve this. Anyone else experienced this or should I go to TAC? 

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion

The problem you are seeing is caused by the issue that all traffic originating from a cluster member is hidden behind the Cluster IP.
I really still do not understand why this is an option when you set a cluster to VRRP but it needs fwkern options to change this behavior for ClusterXL. See sk34180

Regards, Maarten
Alex_Gilis
Advisor

All VS have the "fold" attribute set to True, which I understand this is what you want to do to avoid seeing VSX internal cluster addresses. 

0 Kudos
Maarten_Sjouw
Champion
Champion

Don't forget that a number of things are done from VS0 not from the VS itself. I would expect IPS to be done from the VS0 level and then distributed to all VS's.
So make sure VS0 has internet access and DNS configured.
Regards, Maarten
0 Kudos
Alex_Gilis
Advisor

Thanks for your insight, I will continue looking at this. I've seen now that if I switch over a VS to Member B, IPS alarm disappears on both.

LucasCosta
Participant

Hi,

 

Is it the context  0 able to "telnet" the internet ? (telnet google.com 443) for exemple. I already had this issue and changing the parameter from sk43807 did not work.

 

I always use sk65341 (Regular gateway) to solve this issue. Please use sk111786 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) because you do have VSX. 

 

Remember always to close all the SmartConsole sessions. You can confirm that with "cpstat mg" command in MGMT

 

0 Kudos
_Val_
Admin
Admin

It is clearly a connectivity issue. Both cluster members should be able to reach out to Internet, no matter active or standby.

Most probably your VS0 on the standby is exiting to Internet with the VIP of the cluster. Look here for resolution: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...