This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Advisor
‎2022-06-28 12:38 AM

SMB 1500 Upgrade not reliable

I have a few 1500 series in different countries managed by Smart-1 Cloud running R80.20.X.

I've downloaded R80.20.40 from the SK for the 1500 series, verified the hash and uploaded it on the machine where it's recognized.

So far, so good. I've started upgrading the first machine and after reboot it didn't come back online.

After a couple of hours, the firewall was back online and had rolled itself back to R80.20.X. No particular messages in logs.

TAC told me that it can happen and I should try again until it succeeds as these systems have an embedded software and there's only one way of doing the upgrade. I had this behavior already on systems where I was onsite but in this case they're scattered in different countries and I don't feel like brute-forcing the upgrade on a customer infrastructure when everything is done by the book with potential hours-long downtimes.

Long story short,  is it an experience of Spark 1500 here users can relate to? I don't know if the fact they're managed by Smart-1 Cloud has any influence in this.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-06-28 10:45 AM

Smart-1 Cloud should not impact this, at least to my knowledge.
If you can get console access to the affected platforms during the upgrade, it might shed some light on what's happening during the upgrade process.

0 Kudos
Greg_Harbers
Contributor
‎2022-06-28 02:49 PM
In response to PhoneBoy

We have had a similar issue, although only on 1590s, not on 1550s. 

In our case, the gateways have a connection to the customers internal WAN and the internet. Following the topology that we had in place when we were using 1400 series gateways, we used the connected the Internet to the gateway WAN port, and the customer WAN to the DMZ interface, with the site internal network connected to vlan interfaces on the LAN1 port. We disable the internal switch on these devices. 

On 1590s with such a configuration, attempts to upgrade the gateway would do exactly what you described. The firmware would appear to upload correctly but after some time, the gateway would finally come back to the original version. We had a connection to the devices console port and we could see the boot messages. Effectively what was happening was that the gateway would go into maintenance mode and reboot five times to boot of the new firmware. After five attempts, the device would revert back to the original release.

The fix was to use another interface for the customers wan connection, in this case we used LAN8. Having done this we have not experienced the issue since. Why we never struck the issue on 1550s is because these devices do not have a DMZ interface hence we always use LAN5 for the customers WAN connection.

Hope this helps.

 

Alex-
Advisor
‎2022-06-29 05:40 AM
In response to Greg_Harbers

@Greg_Harbers this is great information and thank you for sharing.

It's 1590'sall over the place so it might be an issue with that series. I don't use the DMZ port and LAN switch is also disabled, but I use LANBOND interfaces. It's typical LAN - FW - Internet setups.

I wonder if this issue is known to Check Point as it's currently blocking the rollout of R80.20.40 as the first attempt caused quite an outage and the selling point of these boxes was the minimal administration and moving parts needed since they're in place in different countries.

I can't really change the network design either.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-29 05:44 AM
In response to Alex-

A TAC case is probably in order.
Getting console access to one of the systems will likely be required for troubleshooting.

0 Kudos
Alex-
Advisor
‎2022-07-10 11:07 AM
In response to Alex-

Tried again and same issue so it wasn't just a mishap the first time it failed.

It was solved by putting a bogus IP on the unused DMZ interface and proceeding with the upgrade, then the system went back online with R80.20.40 after a few minutes.