This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roadrunner88
Contributor
Tuesday

5400 Appliances losing Routing-Connection after reboot

Hello,

 

we`ve installed two 5400 Firewalls running in a clusterXL, currently running on R80.10.

The Firewalls have been fully configured and policy is installed without errors on both sides (via management server).

After a planned reboot of one of the Firewalls, the firewall is not reachable anymore by IP from foreign networks.

Its only possible to reach it by IP via the directly connected Core Switch, which is the Gateway for the used network.

When I make a Ping from one of the Firewall to an outside network, it reports error:

abcd> ping xxxxxxxxx
connect: Network is unreachable

The ping to the Gateway IP is working

As I said, the firewall was fully configured, reachable and working (default route was set)

It seems like IP forwarding is disabled or something like that.

How can I fix this?

Why does it happen?


Thanks!

0 Kudos
11 Replies
emmap
Employee
Employee
Wednesday

Your version is quite out of support, but I'd suggest starting with some layer 2 and 3 troubleshooting - is the default route in the table properly? Does the appliance have an ARP entry for the default route? Can you ping local IPs?

Also, check the clustering - is there a pnote for routed?

0 Kudos
Roadrunner88
Contributor
Wednesday
In response to emmap

The Firewalls have been new installed and the next step would be the upgrade to the current version, but we have now this problem.

 

As i wrote:

all was working, routing, reachability also from outside location  
But after reboot I cant ping anyhting except the default gateway address

Arp entry on the appliance is present for the default GW address

 

0 Kudos
emmap
Employee
Employee
Wednesday
In response to Roadrunner88

We recommend starting with a fresh install of your desired version off a USB key, rather than starting old and upgrading it. You'll get a cleaner install and better performance, as the file system on the disk will be newer and faster. An in-place upgrade (or clean install through CPUSE) will not upgrade the file system.

https://support.checkpoint.com/results/sk/sk65205

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Wednesday
In response to Roadrunner88

Is there even a JHF on the machine currently?

I agree with Emma, between troubleshooting this (without TAC) and navigating the multi-step upgrade save yourself some time.

CCSM R77/R80/ELITE
0 Kudos
Roadrunner88
Contributor
Wednesday
In response to Chris_Atkinson

Hey there,

thanks for your help.
The Firewall sadly is on the other side of the world, no joke at this point its 12000km away 🙂



I will try to find someone who can manage this upgrade as you suggested.

 

I will come back if the problem persists after upgrade.

 

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Roadrunner88

I read all that was said here and Im almost 100% positive the upgrade here may not solve much, specially if the error says what you wrote, network is unreachable. Yes, I agree with both Emma and Chris, version is totally unsupported, but first, before you upgrade, routing should be fixed. Personally, you could be on R55 or R82, if routing is broken, it wont make any difference,

Lets start with basics here...if you run this command from expert mode -> ip r g 8.8.8.8, what do you see? Does it look correct? Also, can you send output of just route command?

Best,

Andy

0 Kudos
Roadrunner88
Contributor
Thursday
In response to the_rock

Hi

[Expert@xxxxxxxxxx:0]# ip r g 8.8.8.8
RTNETLINK answers: Network is unreachable

Kernel IP routing table
Destination     Gateway        Genmask       Flags           Metric Ref Use Iface
aa.xxxxxxx.0           *           255.255.255.252 U 0 0 0                            bond1   <----- Sync Link
bbxxxxxx.0                 *           255.255.255.240 U 0 0 0                            eth2 <----- Uplink
cc.xxxxxx16               *           255.255.255.240 U 0 0 0                            Mgmt <---------- MGMT
ddxxxxxxxx.0               *           255.255.255.0 U 0 0 0                                 eth1 <--------------LAN

the default gateway is not present, also after set route default command

it should look like that, shouldnt it?

Destination  Gateway              Genmask             Flags Metric Ref Use Iface
default         a.b.c.1                     0.0.0.0               UG 0 0 0                    xxxxxxx

so the question is, why the device is losing the defualt route and why i cant configure it again?



 

 

0 Kudos
emmap
Employee
Employee
Thursday
In response to Roadrunner88

Is routed running? Can you check the cluster pnotes?

0 Kudos
Roadrunner88
Contributor
Thursday
In response to emmap

can you help me with that? 
how can I check this?

0 Kudos
emmap
Employee
Employee
Thursday
In response to Roadrunner88

cphaprob stat

cphaprob list 

ps aux | grep routed

0 Kudos
the_rock
Legend
Legend
Thursday
In response to Roadrunner88

Ok, maybe silly question, but if you are setting DG via clish, are you running save config to save it?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events