This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Paisley
Advisor
‎2021-04-25 04:50 AM
Jump to solution

Stanby Manager resets to active

I failed over management servers yesterday. I failed back to the server we normally use as Active, and now the standby keeps resetting itself to active so I have a clash

I have a ticket open, but has anybody else seen this?

0 Kudos
1 Solution

Accepted Solutions
Scott_Paisley
Advisor
‎2021-04-25 08:38 AM
In response to Timothy_Hall
Jump to solution

Here is the TAC solution. Trying it now.

Solution

  1. Run the cpstop command.
     
  2. To find out the current status, run:

    # cpprod_util FwIsActiveManagement

    0 - means Standby.
    1 - means Active.
     
  3. To set the Management station to Standby status, run:

    # cpprod_util FwSetActiveManagement 0

     
  4. To set the Management station to Active status, run:

    # cpprod_util FwSetActiveManagement 1
     
  5. Run the cpstart command.

View solution in original post

0 Kudos
12 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-04-25 05:25 AM
Jump to solution

An SMS in a Management HA setup should never set itself active without human intervention.  Are you saying that you started with the Primary in active and Secondary in standby, then you set Secondary active (and Primary went standby), then you set Primary back to active (and Secondary went standby), and now you are saying the Secondary went active again on its own?  Are you seeing a state of "Advanced" or "Collision"?

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Scott_Paisley
Advisor
‎2021-04-25 05:31 AM
In response to Timothy_Hall
Jump to solution

I am seeing collision.

Due to an earlier issue, we normally run our Secondary as the Active, and our Primary as the Backup, and all is fine.

I made the primary active yesterday, then made the secondary active again. I can set the primary as standby and do a full sunc, then a few minutes later I get the error that says both are active

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-04-25 05:47 AM
In response to Scott_Paisley
Jump to solution

If you are in a collision state you must force a manual sync to get back into the usual active/standby.  Because both SMSs have changes, you need to pick a "winner" and a "loser".  The winner syncs over top of the loser; any changes on the loser are lost except I think for SIC certificate changes/revocations which are merged.  Would be a great idea to take backups of both SMSs first just in case you overwrite the "wrong" changes that you actually needed, as a manual sync cannot be undone.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Scott_Paisley
Advisor
‎2021-04-25 05:54 AM
In response to Timothy_Hall
Jump to solution

A manual sync does not resolve the problem.

It shows a successful sync, then some minutes later back to collision.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-04-25 06:18 AM
In response to Scott_Paisley
Jump to solution

Yep, that would be a TAC case then.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
Scott_Paisley
Advisor
‎2021-04-25 08:38 AM
In response to Timothy_Hall
Jump to solution

Here is the TAC solution. Trying it now.

Solution

  1. Run the cpstop command.
     
  2. To find out the current status, run:

    # cpprod_util FwIsActiveManagement

    0 - means Standby.
    1 - means Active.
     
  3. To set the Management station to Standby status, run:

    # cpprod_util FwSetActiveManagement 0

     
  4. To set the Management station to Active status, run:

    # cpprod_util FwSetActiveManagement 1
     
  5. Run the cpstart command.
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-04-25 08:46 AM
Jump to solution

I could be wrong when I say this, as I had not set and played with mgmt HA in some time, but I dont believe there is a preempt option in dashboard like you can set for gateways where one member can always act as master even when it comes back after reboot. I think that for mgmt HA, you have to do that manually if you want to fail them over. Now, from what you described, that sort of behaviour does not sound normal to me. Are there any logs you can see either in dashboard or command line? Maybe messages file, any core dumps?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Scott_Paisley
Advisor
‎2021-04-25 08:48 AM
In response to the_rock
Jump to solution

Yeah, I did a manual failover, and a manual failback, but the failback didn't 'stick' on one of the boxes. Trying the TAC fix now.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-04-25 08:53 AM
In response to Scott_Paisley
Jump to solution

Ok, great, let us know if that works. I think I seen that procedure before, I believe there is an sk for that. Hope it goes well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-04-25 09:34 AM
In response to the_rock
Jump to solution

It does sound odd.  The real question is what's triggered this behaviour ie. what's the root cause of the issue.

Silly question but what values are returned when you run the following on both SMS appliances?

cprod_util FwIsActiveManagement

Primary Should = 1

Secondary Should = 0

 

0 Kudos
Scott_Paisley
Advisor
‎2021-04-25 09:52 AM
In response to genisis__
Jump to solution

Both devices returned 1, which explains the problem.

Since I set the standby to zero, it appears to be working.

What is interesting is that it didn't work from the GUI

the_rock
MVP Diamond
MVP Diamond
‎2021-04-25 10:33 AM
In response to Scott_Paisley
Jump to solution

Yes, thats very odd indeed. Let us know if they ever find a reason why it happened, I would be curious to know.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events