- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Gateway in red on smartconsole
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gateway in red on smartconsole
hi,
We have two gateway in cluster.
the first gateway is in red.
I think I can't add or modify existing rule...
I don"t understand why there is a gateway in red, there is no modification...
I have only the admin account, to access to smartconsole R80.30 and webpage gaia portal R80.30.
and expert password.
I don"t have password cli to access to Gateway directly in cli.
How I can resolve this gateway in green ?
without break the other gateway or block access completly the compagny on rules on outside...
thanks you very Much
Eric
- Labels:
-
Appliance
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the solution !
in fact the interface in our backbone was shut
Im connect to cisco 4500, and shut, no shut and it's work now
all is green
but I don"t understand our configuration.
we have a cable rj45 between two gateway type sync
two cables directly in backbone cisco, with an interco vlan
and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)
I don"t understand why there is an interco with backbone, and a cable between two gw.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.30 is out of support for a while now.
As the error show, you have an issue with ClusterXL on one of the gateways. You need GW access to troubleshoot. If you can access GW WebUI, use the same credentials to access it via SSH or console
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi val
I have this message to connect to the first gateway
I have find the password for the second gateway and it's ok !
for the first I have this message :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX.......
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending key in /home/admin/.ssh/known_hosts:2
RSA host key for 10.38.204.24 has changed and you have requested strict checking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ignore this warning for now. Connect to the first GW via SSH and run "cphaprob stat" command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cluster Mode: High Availability (Primary Up) with IGMP Membership
ID Unique Address Assigned Load State Name
1 (local) 1.1.1.1 0% DOWN fw1-CKP
2 1.1.1.2 100% ACTIVE fw2-CKP
Active PNOTEs: IAC
Last member state change event:
Event Code: CLUS-110800
State change: INIT -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Apr 9 09:59:29 2024
Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth3 is down (Cluster Control Protocol packets are not received)
Event time: Thu Apr 4 13:23:37 2024
Cluster failover count:
Failover counter: 13
Time of counter reset: Mon Aug 23 07:42:39 2021 (reboot)
I have find this topic to remove the fw to cluster, and add again
https://support.checkpoint.com/results/sk/sk88360
it's possible ?
it's dont block all the lan, if there is only one fw active in the cluster ?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)"
So the interface configurations should be checked and compared between both nodes.
Seems like there is an interface configured in SmartConsole objects topology and on one of the nodes but not on the other.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may use as well commands like
cphaprob -a if
fw getifs
and see output.
Or at least, connect to the Gaia Web Interface and Check / Compare Interface Configs of both nodes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beside of the unsupported release:
The red cross icon can have many reasons. What tells the little popup when moving the mouse over it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just try this from smart console, as per my screenshot and see what it shows you. And yes, send output of cphaprob -a if from both members, as well as output from cpconfig
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the solution !
in fact the interface in our backbone was shut
Im connect to cisco 4500, and shut, no shut and it's work now
all is green
but I don"t understand our configuration.
we have a cable rj45 between two gateway type sync
two cables directly in backbone cisco, with an interco vlan
and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)
I don"t understand why there is an interco with backbone, and a cable between two gw.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have a
cisco 4500 *2 : backbone of the compagny (who are connected all other switch by fiber)
and a stack of 5 switch in it room
and two checkpoint
there is a link between two checkpoint for the SYNC => I think it's for HA
but there is a cable between checkpoint checkpoint and each backbone cisco on vlan interco 100 : vlan not routed (just to isolate of other vlan)
and two others cables in another vlan (the same of smartconsole vm) goes to each backbone cisco
I don"t understand the configuration.
why there is a link between two gw type sync
and interco with backbone of the company
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all i would identity the interfaces on the Checkpoint devices connected to each other and those connected to your interco.
Then i would have a look at the topology of the object in SmartConsole.
I guess, somebody has configured two interfaces as sync interfaces. What should work in theory i guess but officially it's not a supported setup afaik.
Supported sync redundancy is to do that using bond interfaces.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with everything @Vincent_Bacher said. Just for the context, would you mind run below commands on both members and send as text file attachments.
Andy
cphaprob roles
cphaprob state
cpconfig
cphaprob -a if
cphaprob syncstat
cphaprob -i list
cphaprob -l list
cphaprob show_failover
cphaprob mvc
