Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.20 New Recommended Jumbo - Take #26

gadt
Employee
Employee
0 9 3,586

gadt_0-1694612026114.jpeg

 

Hi All

 

R81.20 Jumbo HF Take #26 is now our Recommended Jumbo take and is available for download to all via CPUSE (as recommended) and via Jumbo documentation R81.20 

 

A full list of resolved issues can be found in the Jumbo documentation R81.20 

 

Note:

  • Central Deployment allows you to perform a batch deployment of Hotfixes on your Security Gateways and clusters from SmartConsole!! For more information, see sk168597.
  • With Blink images, you can upgrade your environment to the required Major version including its recommended Jumbo hotfix in one Step, using a single image file.

You can install Blink images using CPUSE – More details can be found in sk120193

 

Thanks,

Release Operations Group

9 Comments
Perry_McGrew
Collaborator

BGP Issue with JHF26.   We did a straight apply of JHF26 on CP3200 running R81.20 JHF24.  No other modifications.   This CP3200 serves as a P2P VPN with Verizon -- it uses BGP to route traffic over the Primary or Backup connections.

After the JHF26 apply - which was successful - the VPN tunnels reported UP.  But no traffic was moving across the tunnels.

Long story short, Verizon reported they saw the BGP connections were "flapping".  Something I could not see in the WebUI or the logs.   The app using the tunnel is critical.  When I reverted back to JHF24, everything worked fine.

TAC has verified the issue in their lab with JF26 and a T3 engineer is looking into it.

This CP device is the only one runing BGP,   All our other CP Gateways and Mgt devices are on JHF26 and have been solid. 

the_rock
Legend
Legend

We have window to upgrade customer's cluster from R81.10 jumbo 78 to R81.20 jumbo 26 tomorrow. They have BGP going via xpress route to Azure. Now Im little hesitant based on your comment to actually install jumbo 26...thoughts @Perry_McGrew ?

Andy

Naama_Specktor
Employee
Employee

 

Hello @Perry_McGrew , 

My name is Naama Specktor , I am Checkpoint employee,

I will appreciate it if you can share the TAC SR number , here or in PM. 

thanks in advanced ,

Naama Specktor

the_rock
Legend
Legend

@Naama_Specktor Just to update quick, I went into support chat last night, mentioned this post to person I chatted with and they said this was the only instance TAC knew about. Regardless, considering huge importance BGP plays for the customer we are upgrading tonight, TAC engineer and I agreed its best to stick with take 24 for now. Better be safe than sorry and honestly, no offence, I do NOT want to be on the phone with support till 4 am troubleshooting BGP lol

Andy

Perry_McGrew
Collaborator

Good morning @the_rock

I am not that knowledgeable with BGP.   It's not an interior routing protocol we use inside our company.  Anyway, I did not take any CPINFO while on JHF26 as the symptoms appeared to point to Verizon.   The application runs on a cellular Chromebook on the VZN network.  We have a redundant VPN tunnels between VZN and the CP3200.  BGP controls the failover between the primary / secondary tunnels.  The application on the Chromebook has to come through the VPN from VZN side.

After updating from JHF24 to JHF26 I was seeing NO traffic from VZN.  SmartMonitor was showing the 2 tunnels as UP (Green check marks) but all the traffic counters were 0.   I spent hours tracking down VZN wireless support and I rebooted the CP3200 to see if that would resolve.  We are in Healthcare and are required to report significant outages to Dept of Health.    This application is our Electronic Medical Records (EMR).   While waiting for VZN Wireless support to respond, I decided to roll back to JHF24.  Once I did, everything worked - traffic immediately was seen coming through the primary BGP circuit's VPN tunnel.   VZN Wireless tech reported that their logs showed the tunnels "flapping" during the day.    I opened a Check Point TAC case and uploaded CPINFO from the CP3200 JHF24 to the SR (using the -s option).  Somehow TAC can't find it!  But I gathered the BGP diagnostic commands from an SK and sent the output to the case along with the description of the process taken.   The initial TAC engineer (out of Ottawa) was able to reproduce the issue in the lab just from the BGP command outputs.  It now sits with Tier 3 TAC engineer in Dallas.  

I have JHF26 on my Management server, 5800 HA cluster and the other 3200 Gateways.  I have not run into any issues.  This particular 3200 gateway is the only one that has BGP configured.  

Regards,

Perry

the_rock
Legend
Legend

Thanks a lot @Perry_McGrew , thats PERFECT explanation, appreciate it mate! 🙌🙌

Since we fully manage this customer, out of caution, decision was already made to go with R81.20 take 24, because as I mentioned to @Naama_Specktor , I really dont want to be up all night troubleshooting BGP with TAC, I would rather be, I dont know...sleeping LOL

Cheers,

Andy

Perry_McGrew
Collaborator

Just received Email below from TAC on R81.20 JHF26

 

"Thank you for your patience, we are working with our internal resources on getting our R&D team engaged on this issue. There does appear to be a bug relating to BGP & VPN and non-ClusterXL firewalls. "

 

Perry

the_rock
Legend
Legend

Ok, fair enough. Though this is clusterXL, we wont take a risk, not worth it.

Thanks @Perry_McGrew 

Andy

the_rock
Legend
Legend

Thanks @Perry_McGrew for all your responses, greatly appreciated. We upgraded customer to R81.20 jumbo 24 and all went perfect...vpn, bgp, C2S vpn connectivity, Azure link, all worked 100%.

Cheers,

Andy

Labels