This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duane_Toler
Advisor
Friday
Jump to solution

Warning: R81.20 JHF 89 for VSX

I had a multi-hour call with Diamond TAC today dealing with a VSX cluster R81.20 after an update to JHF 89.  We had one VS with an interface with multiple VLANs that was missing the highest VLAN on the monitored list.  No matter what trick we did, we couldn't get the 2 JHF 89 gateways to sync up with the 1 older JHF gateway.  It was affecting only ONE VS, too, not the others.  All others worked just fine!

I rolled back JHF 89 and instead installed JHF 84 and all is well now.  This may not affect everyone, but TAC told me about another case they had with the exact same issue.

Hopefully your updates aren't as troublesome, and may they bring you success, but be aware of your multi-VLAN interfaces for VSX.  JHF 89 doesn't seem to play nice with those.

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
11 hours ago
Jump to solution

sk182819 was published for this issue.

CCSM R77/R80/ELITE

View solution in original post

12 Replies
Alex-
Leader Leader
Leader
Friday
Jump to solution

Apparently a known issue.

https://community.checkpoint.com/t5/Management/VSX-VS-Cluster-State-in-Smartconsole/m-p/231363#M4030...

We also have an SR open for this on VSX running R81.10 and Take 150 onwards.

0 Kudos
the_rock
Legend
Legend
Friday
Jump to solution

Good to know! I had old client tell me about it the other day, but I was not aware it was a known issue until I saw your post.

Andy

0 Kudos
JozkoMrkvicka
Mentor
Mentor
Friday
Jump to solution

If we face issues with monitored VLANs, in most cases cpstop;cpstart from problematic VS help.

If not fixed after cprestart, there is not documented command:

fw vsx restart_vs <VSID>

Example for restarting VS 3: fw vsx restart_vs 3

Try that if it helps.

Kind regards,
Jozko Mrkvicka
Duane_Toler
Advisor
Friday
In response to JozkoMrkvicka
Jump to solution

Yep, did that, too. Good idea. Didn’t help, tho. VS remained down on the JHF 89 gateway. 
Full rollback was the only remaining option.

0 Kudos
Jan_Kleinhans
Advisor
Monday
Jump to solution

Hello,

as Alex already mentioned we are one of the customers with this issue. And also TAC told us about other cases. Our case is open since 22 October. We are waiting for a debug script.

As it seems that there are more and more users experiencing this problem I wonder why checkpoint doesn't place a warning or at least a "known issue" so that customers planning to go to the "recommended" release will have something to go on.

 

 

0 Kudos
MatanYanay
Employee
Employee
Monday
In response to Jan_Kleinhans
Jump to solution

Hi @Jan_Kleinhans 

we will add it to the important note of the jumbo by tomorrow 

Jan_Kleinhans
Advisor
yesterday
In response to MatanYanay
Jump to solution

Hello Matan,

you posted an entry this morning in this case. Where is this entry? Was the information wrong?

Regards,

Jan

0 Kudos
MatanYanay
Employee
Employee
yesterday
In response to Jan_Kleinhans
Jump to solution

Hi @Jan_Kleinhans  we are still working on the most accurate communication. 

meanwhile, be aware we have a fix and it will be released in the jumbo we plan to release next week 

Thanks

Matan.

MatanYanay
Employee
Employee
17 hours ago
In response to MatanYanay
Jump to solution

Hi All 

We have identified an issue with the new Jumbo take that affects the VSX cluster env with VLANs.

During the installation on the Standby member, a temporary monitoring mismatch occurs:

the Standby begins monitoring only the lowest VLAN, while the Active member monitors both the lowest and highest VLANs.

This mismatch causes an "ACTIVE!" (on the member running the pre JHF 89 version) or Down state (instead of Standby state on the member running JHF 89) to be triggered.

Although this is a cosmetic issue and does not impact traffic flow or failover functionality, we still recommend that VSX customers wait for the next Jumbo release ( Plan to be released next week). Important note in the jumbo doc will be added today as well 

For customers who wish to proceed with the installation, an SK with detailed installation instructions will be published today (and shared on this thread).

Chris_Atkinson
Employee Employee
Employee
11 hours ago
Jump to solution

sk182819 was published for this issue.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
11 hours ago
In response to Chris_Atkinson
Jump to solution

Awesome!

0 Kudos
JozkoMrkvicka
Mentor
Mentor
4 hours ago
In response to Chris_Atkinson
Jump to solution

doing cpstop on active member cannot be considered as "manual failover". Better wording should be "hard switchover with small outage". Maitanance window is needed anyway.

It is also not clear from the article if cpstop/failover should be done from VS0 or from specific VS. Depending if VSX is in HA or VSLS mode.

In which world can happen that affected VS will be in STANDBY state while highest VLAN is not monitored correctly ? It has to be in DOWN state and "normal failover" cannot happen due to LPRB or IAC Pnote problem.

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events