Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Cimpeanu
Collaborator

Gaia R81.20 Titan on centrally-managed 3200 HA cluster

 Hi gents,

Based on practical experience and leaving aside the R81.20 release notes, would you recommend R81.20 on centrally-managed 3200 appliances or should I stick to R81.10? 

I have tried R81.20 on a standalone (locally-managed) 3200 appliance and it almost brought it to its knees, SmartConsole was mostly unresponsive and the appliance itself was very much struggling.

I'm worried that R81.20 might be too heavy for the 3200 even if it's centrally-managed? 

 

Thanks,

Daniel

0 Kudos
22 Replies
Chris_Atkinson
Employee Employee
Employee

For context how much traffic is the appliance expected to see and what blades are you planning to enabled?

CCSM R77/R80/ELITE
Daniel_Cimpeanu
Collaborator

It's running  Firewall, IPSec, APPCTRL, IA and IPS

 

Below load is in off-hours, I didn't get the chance to check it during the day:

CPU User Time (%): 2
CPU System Time (%): 11
CPU Idle Time (%): 87
CPU Usage (%): 13
CPU Queue Length: -
CPU Interrupts/Sec: 6691
CPUs Number: 4

0 Kudos
Chris_Atkinson
Employee Employee
Employee

In general, it should work but please allow me to rephrase. What is the expected throughput?

Note HCP will help to identify any gotchas with the current configuration.

CCSM R77/R80/ELITE
Jim_Holmes
Employee Alumnus
Employee Alumnus

Also run a cpsizeme (sk88160), it gives a good performance overview (send to your SE)

Aka, Chillyjim
Daniel_Cimpeanu
Collaborator

Thank you, I'll give that a go and evaluate it. 

On a first attempt, it seems to have failed; CPUSE gives me following error without any other information:

<b>Upgrade of package Check_Point_R81.20_T631_Fresh_Install_and_Upgrade.tgz Failed</b><br><br>Failed during export process.<br><br>Contact Check Point Technical Services for further assistance.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It can run on the 3200 with R81.20 but this is according to load / enabled blades. As Engineering support ends next December i would rather trade them in 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Cimpeanu
Collaborator

Noted, replacements will for sure be purchaset at a later time; for now I need these 3200 appliances upgraded asap.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

If R81.10 + Rec JT works as expected i would just stay - but that is a personal decision. NCARS 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Cimpeanu
Collaborator

Might indeed be the way to go, I was optimistic and hoping to have it on R81.20 🙂 

0 Kudos
Daniel_Cimpeanu
Collaborator

Now this is new to me.. if it would have somewhat made sense on R81.20, but for R81.10 it comes as a surprise. 

81.10_failed_upgrade_from_80.40.png

0 Kudos
_Val_
Admin
Admin

Please open a support call with TAC for this.

Daniel_Cimpeanu
Collaborator

Already on it, managet to get an SR registered for this. Thanks 🙂 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

What is the reason, low disk space ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Daniel_Cimpeanu
Collaborator

Doesn't seem so to me 😕 

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

What is the current source version & Jumbo that you are upgrading from?

How much disk space is free and is the Deployment Agent up to date?

CCSM R77/R80/ELITE
0 Kudos
Daniel_Cimpeanu
Collaborator

Upgrading from R80.40 JHF 196; doesn't look like a free disk space issue to me at least (see image shared above). 

Agent: Enabled
Build number: 2337 (agent build is up to date)
Network connection: connected
Update from cloud: Last updated on Tue Nov 7 10:49:27 2023
License: Valid

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Thanks as Val suggests please contact TAC who can assist in reviewing the logs for the upgrade failure/s.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Cimpeanu
Collaborator

A fast update on this issue - Checkpoint TAC didn't manage to pinpoint the root cause for this upgrade failure. A lot of hours got used on this issue and I was forced to move on, so a R81.10 fresh install was done for the appliance.

Without a root cause, there's not much to learn from this fault unfortunately, except for the fact that one can be lucky or unlucky with TAC depending on the skills of the enginner assigned for the SR. 

0 Kudos
Jim_Holmes
Employee Alumnus
Employee Alumnus

You can always ask for the case to be escalated if you stall out. Whenever you are doing upgrades, let your SE know ahead of time (we hate getting calls for something we didn't know was happening), and you can also open a proactive case and pre-load it with all the information about what you are doing. 

*** ALWAYS include the following when opening an SR ***

cpinfo from management and all devices involved. ***This is always going to be asked for***

A "show configuration" from all devices involved.

A "migrate export" of the manager.

 

I will normally open the ticket online, add the above, then call into TAC.

Aka, Chillyjim
0 Kudos
Arskaz
Contributor

Hi!

Tried today to install latest R81.20 Blink + JHF T41 to 3200 cluster.

Installed to standby member. Installation took about one and half hours!!!

After done, it keeped eating one cpu core about 100% (fw_full) even being standby member, didn't find reason. Reverted back...and never installed another member...

-A

0 Kudos
Daniel_Cimpeanu
Collaborator

Yeah, it very much depends on how many blades you have active. I for one decided to stick to R81.10 and will keep patching for as long as it will be supported, the 3200 will anyways be end of life roughly the same time as R81.10 (end of engineering support June 2024, end of support December 2025 for the appliance, end of support July 2025 for R81.10).

Support Life Cycle Policy - Check Point Software

/Daniel

0 Kudos
Arskaz
Contributor

Actually installed 81.10 today to same environment. Same results. Waited for 45 minutes and cpu calmed down.

Also found reason: System is just so slow (slow hdd). For example fw load_sigs took very long time.

Sticked to R81.10, because those are going to replaced before end of support.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events