This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Quadra
Explorer
‎2023-01-12 11:34 AM
Jump to solution

After updating to 81.10 HA module not started

Hi

 

After updating our Security gateway from 80.40 to 81.10 it shows "HA module not started" when querying for cphaprob state.
Gaia is also not available anymore.
Cphastart, reboot, ... does not seem to fix the issue.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-01-12 04:45 PM
Jump to solution

When you do a version upgrade on a gateway, the relevant object must be changed to the target version and the policy installed after the upgrade completes.
This is documented in the Install and Upgrade Guide and is a mandatory step.
Without doing it, you will experience exactly what you're seeing since the previously installed policy is no longer valid. 
In this case, the DefaultFilter loads and the gateway will be generally inaccessible over the network until the policy is installed again.

View solution in original post

0 Kudos
_Val_
Admin
Admin
‎2023-01-15 11:28 PM
In response to Quadra
Jump to solution

You are looking to the wrong part of the upgrade guide. Look into the Cluster Upgrade chapter: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

You need to install policy to the new upgraded Cluster Member, it can only be done after updating the cluster object version on the management side.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2023-01-12 04:45 PM
Jump to solution

When you do a version upgrade on a gateway, the relevant object must be changed to the target version and the policy installed after the upgrade completes.
This is documented in the Install and Upgrade Guide and is a mandatory step.
Without doing it, you will experience exactly what you're seeing since the previously installed policy is no longer valid. 
In this case, the DefaultFilter loads and the gateway will be generally inaccessible over the network until the policy is installed again.

0 Kudos
Quadra
Explorer
‎2023-01-13 01:55 AM
In response to PhoneBoy
Jump to solution

Thank you for your reply.

I've followed the white page "Upgrade Options and Prerequisites" and "Upgrade of Security Gateways and Clusters".
I didn't see any mention of updating the cluster object.

Now I have a gateway on R81.10 and 1 on R80.40 with the R80.40 the only one working at this moment.
So I have to set the Cluster Object to R81.10 and the R81.10 gateway will work again?

0 Kudos
Quadra
Explorer
‎2023-01-13 02:15 AM
In response to PhoneBoy
Jump to solution

Here I have found that you only need to update the object version after updating the secondary server (step 9). https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

0 Kudos
_Val_
Admin
Admin
‎2023-01-15 11:28 PM
In response to Quadra
Jump to solution

You are looking to the wrong part of the upgrade guide. Look into the Cluster Upgrade chapter: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

You need to install policy to the new upgraded Cluster Member, it can only be done after updating the cluster object version on the management side.

jacobog
Employee
Employee
‎2023-01-16 02:15 AM
In response to Quadra
Jump to solution

You do have to put the cluster object in SmartConsole in R81.10. And install policy in the cluster unchecking the box of installing in all members or not install. (In fact the installation will fail in the member still in R80.40, it´s normal).

After installing the policy you will see the member in the cluster with cphaprob stat (it will be in ready state because of another member with older version).

If the policy installation fails in the R81.10 member use the fw unloadlocal and retry

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-12 06:02 PM
Jump to solution

Make sure as @PhoneBoy said to confirm that cluster object is indeed set to R81.10 on smart console for the cluster. If you can ssh into the appliance, verify the policy by running fw stat.

IF it shows initial policy, that should let person at least ssh into the box AND also web UI, but only on port 443, nothing else. If you use a different port for web UI, then you can just run fw unloadlocal and access it,

However, if fw stat shows defaultfilter, you have no choice but to run fw unloadlocal, as defaultfilter blocks everything.

Hope that helps.

Andy

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-01-12 07:16 PM
Jump to solution

What does your tail -f $FWDIR/log/cpconf.elg log says? and cphamcset.elg? 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events