This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Philip_W
Contributor
‎2019-06-12 04:47 AM

rename VSX cluster member

Hi Checkmates,

Our customer's wants to upgrade his environment from R77.30 to R80.20.

Problem is: he has a VSX cluster with cluster members named 'fw1' and 'fw2'. After importing the SMS database to a new R80.20 management server the Validations tab tells us that "more than one object named fw1 exists" (the other being a default service FW1).

Long story short: we have to rename VSX cluster member 'fw1' before we can consider upgrading. In my lab I experimented with vsx_util:

- vsx_util add_member to add a Dummy gateway

- vsx_util remove_member to remove fw1

but this can't be used: "A previous remove member operation did not complete for..." because there is no SIC with the Dummy gateway, which also prevents policy installs to the remaining VSX member.

TAC told us to use vsx_provisioning_tool (and to contact Professional Services 🤔), but after reading the documentation and testing some commands I don't see how that would work.

Anyone?

Ph.

0 Kudos
6 Replies
Alejandro_Mont1
Collaborator
‎2019-06-12 09:40 AM

If I remember correctly you when you turn on the following VSX debugs it skips the provisioning process and allows you to make changes without communication:

#fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PING=INFO
# fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_INSTALL=INFO
#fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PULL_SIC=INFO

Make changes to VSX gateway

Disable debugs with #fw debug fwm off

Might try this in your lab to see if it will let you delete.

0 Kudos
Philip_W
Contributor
‎2019-06-12 11:19 AM
In response to Alejandro_Mont1

Thanks Alejandro, I'll test it tomorrow!

0 Kudos
Philip_W
Contributor
‎2019-06-13 02:57 AM
In response to Alejandro_Mont1

I'm afraid this didn't solve it. Still getting:

"Previous remove member operation was not completed. Run 'vsx_util remove_member' again to resume operation."

I'll dive a bit deeper still maybe removing the whole cluster & recreating it will be the only solution.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-13 04:03 AM
In response to Philip_W

When you run the 'vsx_util remove_member' again, you can abort the previous operation. Then you can try it again.
Regards, Maarten
0 Kudos
Philip_W
Contributor
‎2019-06-17 11:55 PM

Going to test further with TAC.

I'll post the solution here, maybe it will come in handy for someone else later on.

Raf_Brands
Explorer
‎2019-08-12 01:22 AM

We now created a procedure for the rename in lab:

  1. Add dummy node with "vsx_util add_member"
  2. Remove the original node with "vsx_util remove_member"
    This will generate an error regarding SIC communicatio
  3. Edit '$FWDIR/conf/objects_5_0.C', find the dummy gateway object and related child objects and change the status and SIC information
     => Change 'connection_state (uninitialized)' to 'connection_state (communicating)'
     => Change the ':sic_name ()' to a normal value ':sic_name ("CN=Test_tmp,O=gw-2c1401..962djh")' in our test
     => For the child object, in this test there’s only one VS named VG1, so the corresponding sic_name is ':sic_name ("CN=Test_tmp_VG1,O=gw-2c1401..962djh")'
  4. Run 'vsx_util remove_member' again to remove the original node, this will generate another error (not being able to communicate with the dummy node)
  5. Reset or reïnstall the original node (in our lab we used 'reset_gw' in 'vsenv 0')
  6. Following sk101674, edit '$FWDIR/conf/objects_5_0.C'
    => find :operation_type (add_remove_member) and delete the blocks where the status is not OK [:status (OK)]
    => Save the file and exit
    => Remove the SmartConsole cache and restart the checkpoint services:
         cd $FWDIR/conf/
         rm CPMILinks*
         cpstop
         cpstart
  7. Add the original node again under the new using 'vsx_util add_member', this should run ok now
  8. Restore the configuration on the renamed node using 'vsx_util reconfigure'
  9. Remove the dummy node using 'vsx_util remove_member'
  10. Verify in SmartDashboard
  11. Test policy push

We will keep this procedure as backup scenario for production, for production we will create a VM with with 10 nics and add this VM as a third node while reinstalling the original node.

Any feedback is welcome!

0 Kudos