Hi,

Thank you so far for the response. Please see the "runbook" for the migration, I hope, I remembered everything correctly.

Managemetn system (has been delivered with R81)

- Installed R80.40 via USB for the migration
- Installed DA Client with a newer version (DeploymentAgent_000002267_1.tgz) via gaia web ui
- Installed Package ngm_upgrade_wrapper_995000611_1.tgz was installed successfully. (Update Tools) via gaia web ui
- Installed JHF for R80.40 (Take 192) via gaia web ui
- Added licenses via clish
- Executed migration script on old system (R77.30)
./migrate export --exclude-licenses --exclude-uepm-postgres-db /var/log/db-export/mgmt_system-dump
- Faced some issues so we had to correct the policy. Used the following command to find entries which have to be adjusted.
# grep --color='auto' -P -n "[\x80-\xFF]" in objects_5_0_0.c and rulebases_5_0.fws ($FWDIR/conf)
- Executed migration script again, now with success.
- Import on R80.40 (new hardware):
/opt/CPsuite-R80.40/fw1/bin/upgrade_tools/migrate import /home/transfer/mgmt_system-dump.tgz
- Upgrade to R81 via Check_Point_ICE_T392_600SM_main_T470_R81_Gaia_3_10_Install_and_Upgrade
- Installed JHF for R81
- Exported GAIA Config from old system and imported it to new system (line-by-line)
show configuration / save configuration /tmp/config.xx

Gateways

- Already delivered with R81 (no update required)
- Used clish to import the GAIA configuration of the old system
- Adjusted interfaces, which have been changed, via GAUI and topology in the dashboard
- Installed policies
- Installed JHF / new DAagent

Sounds about right. It pretty much looks like my project plan for similar upgrades.

Do you have bon interfaces properly set on GWs? Also, when establishing SIC with the new GWs, fetch interfaces and define sync interfaces on the cluster object. Finally, two sync interfaces are no longer supported, use just one bond for sync, not two.

Some points of interest here, two that @_Val_  has mentioned already and a few more, but in this sequence:

Gaia configuration migration performed not line-by line, but using "save configuration <filename>" and "load configuration <filename>". If moving from R77.30, you may also have to use this sequence:

1. On old gateway:

save configuration <filename>

SCP config to the PC you are working from

2. On new gateway:

Gaia config load

The above is the process described in my book "Check Point Firewall Administration R81.10+" and has been mentioned in this forum in the past.

3. Establish SIC with new cluster members

4. Change the cluster hardware to the new appliance series

5. Change the cluster version to the upgrade target (r81)

6. Change the cluster objects network settings to reflect new single Sync interface (you can do "get interfaces WITHOUT topology" to simplify the process, then go over new interfaces and verify that each is configured as per your requirements.

7. Load the policy.

Regards,

Vladimir

Hi,

Thank you. Please see below the output of the requested commands.

[Expert@gatewayA:0]# cphaprob roles

ID Role

1 (local) Non-Master
2 Master

[Expert@gatewayB:0]# cphaprob roles

ID Role

1 Non-Master
2 (local) Master

[Expert@gatewayA:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 10.1.20.21 0% DOWN gatewayA
2 10.0.20.149 100% ACTIVE(!) gatewayB

Active PNOTEs: IAC

Last member state change event:
Event Code: CLUS-110600
State change: STANDBY -> DOWN
Reason for state change: Incorrect configuration - Sync interface has not been detected
Event time: Mon Aug 14 13:05:20 2023

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Member state has been changed due to restart of the Cluster module
Event time: Mon Aug 14 12:55:02 2023

Cluster failover count:
Failover counter: 2
Time of counter reset: Fri Aug 11 11:06:38 2023 (reboot)

[Expert@gatewayB:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 10.0.20.21 0% DOWN gatewayA # Note: This is an IP address in VLAN 20
2 (local) 10.1.20.149 100% ACTIVE(!) gatewayB # Note: This is an IP address in VLAN 3020

Active PNOTEs: IAC

Last member state change event:
Event Code: CLUS-116505
State change: DOWN -> ACTIVE(!)
Reason for state change: All other machines are dead (timeout), Incorrect configuration - Sync interface has not been detected
Event time: Mon Aug 14 12:55:02 2023

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Available on member 1
Event time: Mon Aug 14 12:55:02 2023

Cluster failover count:
Failover counter: 2
Time of counter reset: Fri Aug 11 11:06:38 2023 (reboot)

[Expert@gatewayA:0]# cphaprob list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem

[Expert@gatewayB:0]# cphaprob list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem (non-blocking)

[Expert@gatewayA:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 0

Interface Name: Status:

bond2.20 (LS) UP
bond2.3020 (LS) UP

Warning: Sync will not function since there aren't any sync(secured) interfaces

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 1

bond2.20 10.0.20.20 VMAC address: 00:1C:7F:00:1A:59

[Expert@gatewayB:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 0

Interface Name: Status:

bond2.20 (LS) UP
bond2.3020 (LS) UP

Warning: Sync will not function since there aren't any sync(secured) interfaces

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 1

bond2.20 10.0.20.20 VMAC address: 00:1C:7F:00:1A:59

[Expert@gatewayA:0]# cphaprob syncstat

Delta Sync Statistics

Sync status: Off - Sync interface down.

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 24352
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 1

Received messages:
Total received updates....................... 0
Received retransmission requests............. 0

Sync Interface:
Name.........................................
Link speed...................................
Rate......................................... 0 [Bps]
Peak rate.................................... 0 [Bps]
Link usage................................... 0%
Total........................................ 0 [B]

Queue sizes (num of updates):
Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Mon Aug 14 14:50:59 2023 (triggered by fullsync).

[Expert@gatewayB:0]# cphaprob syncstat

Delta Sync Statistics

Sync status: Off - Sync interface down.

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 71328
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 1

Received messages:
Total received updates....................... 0
Received retransmission requests............. 0

Sync Interface:
Name.........................................
Link speed...................................
Rate......................................... 0 [Bps]
Peak rate.................................... 0 [Bps]
Link usage................................... 0%
Total........................................ 0 [B]

Queue sizes (num of updates):
Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Fri Aug 11 11:26:14 2023 (triggered by fullsync).

From the output above:

Warning: Sync will not function since there aren't any sync(secured) interfaces

You need to define a sync interface on the cluster object.

@_Val_ Makes an excellent point...shows you dont have sync even configured. Ok, maybe you have it set on the OS level, BUT, if its not defined in topology, this will never work. Can you verify topology in the smart console?

Andy

Hi,

First of all, thank you all for your comments. A sync interface was and is configured in the topology, this can be validated via SmartConsole. At the begining, we had two, now, after your comments, I have changed it to one sync interface. But it is still true, that the cphastart script is somehow still referring to the old interfaces.

/opt/CPsuite-R81/fw1/bin/cphaconf -D -i 1 -n 1337 -c 2 -m 4 -l 1 -t bond2.10 bond2.11 ... start

Where are these parameter (-t bond2.10 bond2.11) coming from?

And does anyone know what the reference is for this comparsion?

file_diff_compare_data_to_file: returning 1 for file /opt/CPsuite-R81/fw1/database/cluster_policy.C

The policy has been fetched from the management system but there is still no change in the behavior of the gateway(s). Do I have to load something else / additional to the policy from the management system so that the sync interfaces are recognized.

K, lets start at the beginning (no pun intended). So, can you ensure that all the required interfaces are indeed configured properly on both clustered members? If yes, head over to smart console, edit the cluster object, go to topology and MAKE SURE that every cluster interface is configured as such and VIP is set as well. Click "get interfaces WITHOUT topology", if good, install policy and run cphaprob state command on both again. If it gives an error, please send it here, so we examine further.

Dont worry, I feel confident we will be able to help you fix this.

Andy

Good job!!