Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LeeBingKang
Advisor
Jump to solution

Question regarding RMA a firewall that diagnostic tool show all OK

Hi all,

 

Recently, I had a client faced an issue whereby one of their FULL HA firewalls suddenly hangs and this issue happened more than 2 times within few months.

 

The 1st hang is on around 30 May 2023 and the firewall is working fine as usual after reboot. Meanwhile, we do hardware diagnostic via command "diagMain" and found out the diagnostic result show OK. With that, we opened a case with TAC on this and TAC suggested to install the latest recommended Jumbo Hotfix (take 197) as it resolves some memnory related issues. After that, we installed the Jumbo Hotfix take 197 on both FULL HA firewall member successfully on 22 July 2023.

 

The 2nd hang is on 1/8/2023 and this hang happened on the same firewall when it acts as active firewall and management (since 22 July 2023). The firewall is booted up after a reboot and the diagnostic result (via command diagMain) also show all OK. However, we monitor it more than 30 minutes and aware that its CPU utilization is inconsistent (somehow will reach more than 100% for Java process). Moreover, we tried to move the active management 

 

Hence, I would like seek all of your advice whereby is this hang happened more than 2 times within these few months can become the reason to do RMA?

 

Thank you.

 

 

 

0 Kudos
41 Replies
the_rock
Legend
Legend

Keep us posted how it goes.

Andy

0 Kudos
LeeBingKang
Advisor

Here is the update on this matter after few weeks... the RMA still in the progress.....

 

However, the problematic firewall is up and running until now under the condition that it is act as active management server only.

 

Its consider weird for me. I will update again if any.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is what i  found as a best practice with Management HA - active node that takes all the load is secondary Management only, Standby node is primary management. But i rather do not suggest this kind of deployment at all...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor

I'm agree with the best practice mentioned in your post (split active modules (firewall and management) to both members).

 

However, there is a scenario (FULL HA enabled remote access blade with "certificate + username password" authentication method) where we can't split it.

 

It is because of the user vpn certificate renewal required the active management and firewall are in the same firewall member. 

0 Kudos
the_rock
Legend
Legend

Full HA...whenever I think of it, reminds me of those things in life that when they work well, its heaven, but when they do break, to say its a nightmare would be an understatement of the century lol

Anyway, when you say RMA is in progress, you are still waiting for new appliance?

Andy

0 Kudos
LeeBingKang
Advisor

The new appliance just arrived today and we are doing configuration on the firewall and find a suitable date to do the replacement.

the_rock
Legend
Legend

Thanks for the update @LeeBingKang 

0 Kudos
LeeBingKang
Advisor

The RMA unit replaced on 4/11/2023, 12am (Malaysia time), Meanwhile, the new unit become active on both firewall and management module. We will monitor for 2 weeks start from now to ensure everything is fine.

0 Kudos
LeeBingKang
Advisor

It is almost 2 weeks and the new device is working fine with active status on both modules (firewall and management).

 

Looks like RMA is the solution for this matter.

0 Kudos
LeeBingKang
Advisor

Dear All,

 

Latest update here whereby the firewalls are working after RMA (round 3 months).

 

Hence, I believe RMA is the solution for this kind of issue.

 

Please give comments if you guys have any.

 

Thank you.

the_rock
Legend
Legend

Sounds like that would be the case, glad its fixed.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend

A user vpn certificate renewal happens every couple of years only - it is CRL on active SMS that causes an issue. You can disable that as internal certs are not rewoked.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events