This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lloyd_Braun
Advisor
‎2023-08-28 01:25 PM

CDT leaving mvc enabled on 1 cluster node?

I am noticing

 

mvc on

 

in a bunch of my r81.10 firewall cluster nodes' $FWDIR/boot/ha_boot.conf files.  It is only enabled for 1 node of the cluster, so the $FWDIR/boot/ha_boot.conf files are not consistent between cluster members.  These were upgraded r80.30 to r81.10 via Central Deployment Tool.   Is anyone else seeing this behavior from CDT? 

 

I am not noticing any impact yet except fw tab -t connections -s output shows the connection table counts about 20% off, between active/standby nodes. Usually these numbers would be a lot closer as far as I recall.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-08-28 04:57 PM

In a cluster, MVC is not enabled on the last cluster node to get upgraded.
Which means, in a two node cluster, only one node will have MVC enabled.
Seems like expected behavior to me.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui... 

0 Kudos
Lloyd_Braun
Advisor
‎2023-08-29 05:19 AM
In response to PhoneBoy

I would expect the Central Deployment Tool to perform step #16, (disable the MVC mechanism.)  It is leaving MVC enabled (when upgrade has completed) on all the clusters I've checked. 

0 Kudos
mahmods
Employee
Employee
‎2023-08-29 06:52 AM
In response to Lloyd_Braun

Hi @Lloyd_Braun , 

which version of CDT are you using? 
in CDT V1.9.7 (GA version) the expected behavior is to turn off MVC on the cluster members after completing the fail-over if the cluster version is R80.40 until R81.10

 

can you please share the CDT logs in private to my email for further investigation? send it please to: mahmods@checkpoint.com 

CDT saves its log files in this location on the Management Server:

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/

 

Thanks. 

Lloyd_Braun
Advisor
‎2023-08-29 08:38 AM
In response to mahmods

this is an MDS

 

./CentralDeploymentTool -v
Central Deployment Tool (version 1.9.2 build #990180607)

 

I'm not seeing CDT logs at MDS or CMA levels

0 Kudos
mahmods
Employee
Employee
‎2023-08-29 10:55 PM
In response to Lloyd_Braun

Hi @Lloyd_Braun , 

i strongly advice you to update CDT to the GA version (CDT V1.9.7). 

https://support.checkpoint.com/results/sk/sk111158 

using the updated version of CDT is very important in order to avoid such issues. 

if the issue reproduced after using CDT V1.9.7 please let me know via email. 

 

Thanks. 

0 Kudos
Lloyd_Braun
Advisor
‎2023-08-30 01:05 PM
In response to mahmods

That sounds reasonable. I was assuming that code was updated automagically with JHF application so it looks like we're several revs back.

 

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events