Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EricB84
Participant
Jump to solution

Gateway in red on smartconsole

hi,

We have two gateway in cluster.

the first gateway is in red.

I think I can't add or modify existing rule...

 

I don"t understand why there is a gateway in red, there is no modification...

 

I have only the admin account, to access to smartconsole R80.30 and webpage gaia portal R80.30.

and expert password.

 

I don"t have password cli to access to Gateway directly in cli.

 

How I can resolve this gateway in green ?

without break the other gateway or block access completly the compagny on rules on outside...

 

thanks you very Much 

Eric

0 Kudos
1 Solution

Accepted Solutions
EricB84
Participant

I have the solution !

in fact the interface in our backbone was shut

Im connect to cisco 4500, and shut, no shut and it's work now

all is green

 

but I don"t understand our configuration.

we have a cable rj45 between two gateway type sync

two cables directly in backbone cisco, with an interco vlan

and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)

 

I don"t understand why there is an interco with backbone, and a cable between two gw.

 

thanks

View solution in original post

14 Replies
_Val_
Admin
Admin

R80.30 is out of support for a while now.

As the error show, you have an issue with ClusterXL on one of the gateways. You need GW access to troubleshoot. If you can access GW WebUI, use the same credentials to access it via SSH or console

0 Kudos
EricB84
Participant

hi val

 

I have this message to connect to the first gateway
I have find the password for the second gateway and it's ok !

 

for the first I have this message : 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX....... 
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending key in /home/admin/.ssh/known_hosts:2
RSA host key for 10.38.204.24 has changed and you have requested strict checking.

0 Kudos
_Val_
Admin
Admin

Ignore this warning for now. Connect to the first GW via SSH and run "cphaprob stat" command

0 Kudos
EricB84
Participant

Cluster Mode: High Availability (Primary Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 1.1.1.1 0% DOWN fw1-CKP
2 1.1.1.2 100% ACTIVE fw2-CKP


Active PNOTEs: IAC

Last member state change event:
Event Code: CLUS-110800
State change: INIT -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Apr 9 09:59:29 2024

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth3 is down (Cluster Control Protocol packets are not received)
Event time: Thu Apr 4 13:23:37 2024

Cluster failover count:
Failover counter: 13
Time of counter reset: Mon Aug 23 07:42:39 2021 (reboot)

 

I have find this topic to remove the fw to cluster, and add again

https://support.checkpoint.com/results/sk/sk88360

 

it's possible ?

it's dont block all the lan, if there is only one fw active in the cluster ?

 

thanks

0 Kudos
Vincent_Bacher
Advisor
Advisor

"Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)"

So the interface configurations should be checked and compared between both nodes.
Seems like there is an interface configured in SmartConsole objects topology and on one of the nodes but not on the other.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

You may use as well commands like

cphaprob -a if
fw getifs

and see output.
Or at least, connect to the Gaia Web Interface and Check / Compare Interface Configs of both nodes. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

Beside of the unsupported release:

The red cross icon can have many reasons. What tells the little popup when moving the mouse over it?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
EricB84
Participant

hi vincent

thanks for your help

it's in attached files

 

I don"t know how to connect directly to gateway

it's ok by management console only but not more

0 Kudos
the_rock
Legend
Legend

Just try this from smart console, as per my screenshot and see what it shows you. And yes, send output of cphaprob -a if from both members, as well as output from cpconfig

Andy

 

Screenshot_1.png

0 Kudos
EricB84
Participant

I have the solution !

in fact the interface in our backbone was shut

Im connect to cisco 4500, and shut, no shut and it's work now

all is green

 

but I don"t understand our configuration.

we have a cable rj45 between two gateway type sync

two cables directly in backbone cisco, with an interco vlan

and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)

 

I don"t understand why there is an interco with backbone, and a cable between two gw.

 

thanks

Vincent_Bacher
Advisor
Advisor

@EricB84 wrote:

I have the solution !


Congrats! 🙂

 


@EricB84 wrote:

I don"t understand why there is an interco with backbone, and a cable between two gw.


Kindly explain what exactly you mean with interco with backbone

brV

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
EricB84
Participant

we have a 

cisco 4500 *2 : backbone of the compagny (who are connected all other switch by fiber)

and a stack of 5 switch in it room

and two checkpoint

 

there is a link between two checkpoint for the SYNC => I think it's for HA

but there is a cable between checkpoint checkpoint and each backbone cisco on vlan interco 100 : vlan not routed (just to isolate of other vlan)

 

and two others cables in another vlan (the same of smartconsole vm) goes to each backbone cisco

 

I don"t understand the configuration.

why there is a link between two gw type sync

and interco with backbone of the company

0 Kudos
Vincent_Bacher
Advisor
Advisor

First of all i would identity the interfaces on the Checkpoint devices connected to each other and those connected to your interco.
Then i would have a look at the topology of the object in SmartConsole.
I guess, somebody has configured two interfaces as sync interfaces. What should work in theory i guess but officially it's not a supported setup afaik.
Supported sync redundancy is to do that using bond interfaces.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
Legend
Legend

I agree with everything @Vincent_Bacher said. Just for the context, would you mind run below commands on both members and send as text file attachments.

Andy

cphaprob roles

cphaprob state

cpconfig

cphaprob -a if

cphaprob syncstat

cphaprob -i list

cphaprob -l list

cphaprob show_failover

cphaprob mvc

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events