This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adam276
Contributor
8 hours ago

Starting cpri_d: FAILED on boot

I am having a problem moving my old secondary firewall back into place after having problems with a new secondary firewall hardware/software upgrade. I tried moving to R81.20 Take 90 on a cluster (secondary only first) and had a reboot issue when pushing policy (I will look into that later).  I am still working fine on the old R80.10 primary as I was only trying to get the secondary ready to switch to before experiencing the reboot problem.  FYI... The old and new hardware is Dell hardware/NICs that are on the Checkpoint open server HCL.

My main problem right now though is trying to get the the old secondary back functional (it is R80.10).  The cpri_d process is failing on boot. Because I had to change SIC in management for the new secondary hardware/software upgrade, I reset SIC on old secondary gateway and changed the version back to R80.10 in the management.  SIC tests successful from SmartConsole.  I can push policy and no errors on the policy push itself.  The secondary is showing red though.

This is on bootup of the system...

Starting the system...

                            Starting cpri_d:   FAILED

GUI shows green status for the primary(that system wasn't touched).  The secondary is showing a red alert though in SmartConsole gateways view.  I have tried rebooting, pushing policy again, etc but no change.

SmartConsole GUI shows this as an alert for this gateway.
'Firewall' is not responding. Verify that 'Firewall' is installed on the gateway.  "If 'Firewall' should not be installed verify that it is not selected in the Products list of the gateway (SmartConsole > Security Gateway > General Properties . Software Blades List).

Trying to start cprid manually gives this error...

[Expert@Ode-Fw21:0]# $CPDIR/bin/cpridstart
DIAGDIR: Undefined variable.

Looking at the /opt/CPsuite-R80/fw1/log/lpd.elg log file I see this...

[lpd 2962 4158621392]@Ode-Fw2[3 Mar 9:24:56] [init][INFO][logger.cpp:62 : initLogger] ####################################################
[lpd 2962 4158621392]@Ode-Fw2[3 Mar 9:24:56] [init][INFO][logger.cpp:63 : initLogger] welcome to lpd log!
[lpd 2962 4158621392]@Ode-Fw2[3 Mar 9:24:56] [main][ERROR][daemon_main.cpp:42 : main] LPDException: Failed to fetch DIAGDIR environment variable
[lpd 2962 4158621392]@Ode-Fw2[3 Mar 9:24:56] [main][INFO][daemon_main.cpp:59 : main] Exit code: 3
[lpd 6621 4157658832]@Ode-Fw2[3 Mar 9:25:55] [init][INFO][logger.cpp:62 : initLogger] ####################################################
[lpd 6621 4157658832]@Ode-Fw2[3 Mar 9:25:55] [init][INFO][logger.cpp:63 : initLogger] welcome to lpd log!
[lpd 6621 4157658832]@Ode-Fw2[3 Mar 9:25:55] [main][ERROR][daemon_main.cpp:42 : main] LPDException: Failed to fetch DIAGDIR environment variable
[lpd 6621 4157658832]@Ode-Fw2[3 Mar 9:25:55] [main][INFO][daemon_main.cpp:59 : main] Exit code: 3

cphaprob shows correct backup for the secondary.  Primary is active of course.

Anyone experience this?

No rules changes or object changes besides resetting SIC for the secondary member and changing version on the cluster object back to the old R80.10 version.

0 Kudos
3 Replies
the_rock
Legend
Legend
5 hours ago

Nothing comes up on support site about it, at least that I can find. Have you asked TAC about it? One suggestion...maybe console into it, run halt command, then unplug power cord, wait 30 seconds, plug it back in and see if that helps.

Andy

0 Kudos
Adam276
Contributor
4 hours ago
In response to the_rock

I see the same log stuff in lpd.elg on the other old firewall so I assume that is not related.

I also don't see a cprid process running on the old primary either so maybe that also is not related.  It is possible on reboot the primary gives that same error and not be related also.  Not sure.  I don't want to touch the primary until I have a functional secondary though.

The main issue seems to be that SmartConsole shows the alert below for the second member.

'Firewall' is not responding. Verify that 'Firewall' is installed on the gateway.  "If 'Firewall' should not be installed verify that it is not selected in the Products list of the gateway (SmartConsole > Security Gateway > General Properties . Software Blades List).

I can't find anything about that yet either.  I might revert to a previous snapshot from yesterday on the old secondary that I took out of precaution.  The only thing done on it though was SIC and management version change back and forth so it doesn't seem likely that it will change anything.  I will still have to redo SIC again to get that going since SIC was reset in management recently for that cluster member.

The strange thing is it is complaining about firewall blade but cphaprob stat shows it in backup state which means the process checks that happen for HA state are at least ok.

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to Adam276

I actually remember that EXACT error, but not for fw blade, rather for identity awareness. In the lab, it disappeared when I rebooted the fw, but I never logically understood why it came up in the first place and could not really open a TAC case, since its a lab.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events