This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
a month ago

Wierd behaviour with R81.20

This weekend we observed something silly.

Customer runs MDS on R81.20. Customer had 4 domains.

We replaced an old cluster 6000 running R81 with new 9000 appliances with R81.20. And something weird happened.

After we replaced the first member of the cluster I reestablished SIC with the new hardware.

I changed the appliance type in SmartConsole. At that time it switched to R81.20 as R81 is not supported on the 9000 appliances.

I pushed the policy and ... it pushed the policy to the old node and not the new node. Somwhow the version of the cluster was listed as R81.20 but it did think it was still a R81 cluster.

This caused a routing issue and took us an hour to fix and I went back to R81 cluster to restore connectivity.

In the end I first did change the version but not the appliance type and it worked as one might expect with a Multi Version Clustering.

I can't recall I have seen this behaviour before and I think the error is with the Management system.

At this point I am just curious if anyone has seen this behaviour before.

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
a month ago

Cant say I personally ever experienced that. Do you recall what policy was showing on new member at the time?

Best,
Andy
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
4 weeks ago
In response to the_rock

As the policy was never installed it was still on the initialpolicy.

But the issue is with the management as the version shown is R81.20 on the cluster obejct but it installs as if the version is set to R81. So the version shown in SmartConsole seems to mismatch the actual version on the cluster object.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to Hugo_vd_Kooij

Never had that happen to me personally. Did you open TAC ticket for it yet?

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
4 weeks ago

That's probably because the 6000 and 9000 have different CPU core counts (depending on the exact models).  You wouldn't want to try to use a higher-core model as the leading gateway and MVC cluster it to a lesser-core peer. You also unchecked the box for "install to all cluster members or fail", ...right?

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Duane_Toler

Lets see what TAC says...I believe Hugo will open a case for this, if he had not already.

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
4 weeks ago

Did the version have a warning sign next to it? I think sometimes SmartConsole displays the version detected in the overview page (so it would show R81.20 there) but if you open the object it still shows R81 because that's what in the database. So even when it auto-detects the version you should open the cluster object, set the correct version and click OK. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events