This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AndyDixon
Participant
‎2019-12-04 03:20 AM
Jump to solution

DNS error affecting CP updates

Hello all.

My second question here.  Hopefully I will supply all the necessary information.

My organisation has a ClusterXL HA pair of 5900 appliances running R80.20 Jumbo HF take 118.  I have noticed on SmartConsole Gateways & Servers that the standby node is showing an error.  Looking at the Device Status of the node, the IPS, Anti-Bot & Anti-Virus blades are displaying 'Error: Update failed. Contract entitlement check failed. Could not reach"updates.checkpoint.com". Check DNS and Proxy configuration on the gateway'. 

I have connected via SSH to both nodes in the cluster and verified that I can ping external and internal endpoints from both nodes.  I entered Expert mode on both nodes and ran dig against a known internal and external domain name.  This was successful on the active node but failed on the problematic standby node with 'connection timed out; no servers could be reached'.

I power cycled the standby node this morning.  I am now seeing Connection Alerts in the SmartConsole log for DNS queries originating from the problematic gateway.  The reason is 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0)'.  We are not using domain objects.

Both HA nodes have identical NAT and policy.

I have reviewed DNS Error Message  but it does not appear relevant.

It may be unrelated, but there is a noticeable delay between entering the username and the password prompt appearing when accessing the problematic node via ssh.

I'm wondering what else I can test before pushing the issue out to TAC.

Thanks,

Andy

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor
‎2019-12-04 03:34 AM
Jump to solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is what would work through.   The SK it relates too is more about access to the standby box.

Doesn't happen everytime but this SK has resolved everytime has happened, sometimes the kernel parameter enough other times have to do the Rules to Not Hide Traffic from the box behind the Cluster.

 

View solution in original post

5 Replies
mdjmcnally
Advisor
‎2019-12-04 03:34 AM
Jump to solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is what would work through.   The SK it relates too is more about access to the standby box.

Doesn't happen everytime but this SK has resolved everytime has happened, sometimes the kernel parameter enough other times have to do the Rules to Not Hide Traffic from the box behind the Cluster.

 

Ruan_Kotze
MVP Gold
MVP Gold
‎2019-12-04 03:53 AM
In response to mdjmcnally
Jump to solution

Another vote for  sk43807.  Had a couple of instances where I had this exact issue, and step 4 of the aforementioned SK resolved it for me each time.

AndyDixon
Participant
‎2019-12-04 08:34 AM
In response to Ruan_Kotze
Jump to solution

Thanks both.

I followed the SK you referenced and step 4 resolved the issue for me.  Apologies, I didn't find that SK when I was carrying out initial investigations.

Thanks again.

Andy

0 Kudos
mdjmcnally
Advisor
‎2019-12-04 08:45 AM
In response to AndyDixon
Jump to solution

Not a problem, I was just looking for an SK that I knew existed and was struggling to find it.   Sometimes the SK searching can be "interesting" as don't always get back what looking for.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-12-04 10:09 AM
In response to mdjmcnally
Jump to solution

Another way to deal with this issue is to create 2 no-NAT rules, as your standby gateway traffic is hidden behind the cluster IP, when you add a rule that says when traffic is originating from the gateway (add a rule for each cluster member) to any, use original (as long as you objects have the external IP on them, otherwise create 2 objects with the Internet IP's and use those objects in the no-NAT rules).
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events