- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hey guys,
I really hope someone might be able to give some sigguestion/opinion on this, as to me, it makes no logical sense why this fails...could be because of mdps, not really sure. Anyway, to make long story short, customer is replacing their existing 4 15000 fws with new 4 9700 devices (2 separate clusters). We did migrate export from existing mgmt, imported to new one, connected both new clusters, built basic policy after setting up mdps, with ONLY 2 interfaces active (mgmt and sync).
But, here is the problem. Though policy is fine, when installed, only fw1 sdhows as active and fw is down (same on both clusters). We just assigned 169.254.x.x IPs as sync, since customer wanted to give it IP from same mgmt subnet, but that cannot work.
Oddly enough, pings to sync IP work from both members, but fw2 always shows as down...we tried cphastop; start, cprestart, reboot,. disable/re-enable cluster, no dice.
Worked with TAC, they kept telling us its layer 2 iussue, but I cant really understand how that can be the problem. Client even verified everything on of their Fortigates as well, all is allowed and even he was surprised they were "forcing" layer 2 argument.
Thoughts?
Thanks as always!
1 Solution
Accepted Solutions
Good day!
The one thing that draw my attention is the APIPA address used for the Sync interface. An intuition told me that most probably you cannot use APIPA as a static address for Sync.
Quick check in a Lab shows that indeed we have ACTIVE/DOWN only because of the IP-addresses.
I have changed eth4-1(used for Sync) IP-address from
172.16.18.1/24 (23800_1) and 172.16.16.2/24 (23800_2)
to
169.254.1.50/24 (23800_1) and 169.254.1.51 (23800_2)
As a result, I got Active/Down from both ends after cpstop/cpstart. Your problem is replicated successfully. There is no MPDS used at all.
RFC 3927 states that 169.254.0.0/16 network is for automatic IP-address configuration. I may guess that Checkpoint follows the guideline and doesn't allow to configure an IP-address from this range manually.
Similar point is stated in sk179028
These IP subnets are reserved (you cannot use them in the CIN IP ranges):
0.0.0.0 / 8
127.0.0.0 / 8
169.254.0.0 / 16
192.0.2.0 / 24
224.0.0.0 / 4
203.0.113.0 / 24
Please, send my best regards to TAC engineers and don't make any unnecessary actions until you try to assign non-APIPA address for the Sync!
| User | Count |
|---|---|
| 56 | |
| 42 | |
| 15 | |
| 14 | |
| 14 | |
| 11 | |
| 11 | |
| 10 | |
| 9 | |
| 8 |
Fri 13 Feb 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 43: Terugblik op de Check Point Sales Kick Off 2026Thu 19 Feb 2026 @ 03:00 PM (EST)
Americas Deep Dive: Check Point Management API Best PracticesFri 13 Feb 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 43: Terugblik op de Check Point Sales Kick Off 2026Thu 19 Feb 2026 @ 03:00 PM (EST)
Americas Deep Dive: Check Point Management API Best Practices