This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fabiofabio
Collaborator
‎2021-10-19 12:31 AM
Jump to solution

fw with destination host unreachable

Good morning,
it's been a few days since I migrated the backup of my production environment to completely isolated servers, in order to prepare the environment and then migrate everything to the new ones. I migrated the first node and after some problems and changing the routes, I managed to get out of it. but now I have migrated the second one and despite having changed the routes to reach the switch, it still cannot communicate with anyone but itself. I looked at all the settings that came to my mind and they are the same as what works now.

 

trying to ping node 1 from node 2 (node 2 is the one having problems)

image.png

 

 

 

 

 

 

image.png

 

 

the switch

 

image.png

 

 

 

the only difference I have found that I am not sure about is this:

image.png

node 1 (working)

 

 

 

image.png

 

node 2 (not working)

 

 

 

 

 

I would like to clarify that before migrating it, I had installed gaia, created the cluster and verified that everything worked, I don't think it is a physical configuration problem. any suggestions? if you need some more data, just ask. Thanks

0 Kudos
3 Solutions

Accepted Solutions
rrbranco
Collaborator
Collaborator
‎2021-10-19 03:51 AM
Jump to solution

Note that the interface name order is not the same on both nodes.

 

Are the interfaces mapped correctly according to the phisical position and their names/aliases ?

 

I mean:

does phisical interface X really corresponds to ethX ?

does phisical interface Y really corresponds to ethY ?

 

Check cabling, unplug each by each one at a time and confirm that the one that goes down is really the desired one .

 

What about arp table ?  are they the same on the switch side ? 

 

Can you see correct / expected traffic on tcpdump and/or fw monitor ?

 

View solution in original post

0 Kudos
(1)
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-10-19 07:01 AM
In response to the_rock
Jump to solution

Try this in expert mode:

 

printf "%9s%13s%10s%8s%6s\n" "Interface" "Bus Addr" "PCI-ID" "Driver" "Link?";ifconfig -a | egrep "^[^ ]" | awk '{print $1}' | egrep -v "^(lo$|usb|bond[0-9\.]+|Mgmt\.[0-9]|eth[-0-9]+\.)" | xargs -n 1 -I @ sh -c 'printf "%9s" @;printf "%13s" $(ethtool -i @ | grep "bus" | cut -d" " -f2);printf "%10s" $(lspci -n | grep $(ethtool -i @ | grep "bus" | cut -d: -f3-4) | cut -d" " -f3);printf "%8s" $(ethtool -i @ | grep "driver" | cut -d" " -f2);printf "%6s" $(ethtool @ | grep "Link" | cut -d" " -f3);echo ""'

 

It prints the interface name, the PCIe address, the PCI ID (used to confirm the driver is correct), the driver name, and the link status of each physical interface. Example output:

 

[Expert@LabFW]# printf "%9s%13s%10s%8s%6s\n" "Interface" "Bus Addr" "PCI-ID" "Driver" "Link?";ifconfig -a | egrep "^[^ ]" | awk '{print $1}' | egrep -v "^(lo$|usb|bond[0-9\.]+|Mgmt\.[0-9]|eth[-0-9]+\.)" | xargs -n 1 -I @ sh -c 'printf "%9s" @;printf "%13s" $(ethtool -i @ | grep "bus" | cut -d" " -f2);printf "%10s" $(lspci -n | grep $(ethtool -i @ | grep "bus" | cut -d: -f3-4) | cut -d" " -f3);printf "%8s" $(ethtool -i @ | grep "driver" | cut -d" " -f2);printf "%6s" $(ethtool @ | grep "Link" | cut -d" " -f3);echo ""'
Interface     Bus Addr    PCI-ID  Driver Link?
     eth0 0000:07:00.0 8086:150c  e1000e    no
     eth1 0000:02:00.0 8086:150c  e1000e   yes
     eth2 0000:03:00.0 8086:150c  e1000e    no
     eth3 0000:04:00.0 8086:150c  e1000e    no
[Expert@LabFW]#

 

Make sure the interface names and the PCIe addresses match between boxes. If they don't, you can use /etc/udev/rules.d/00-OS-XX.rules to rearrange the names, as described in sk69621.

View solution in original post

0 Kudos
(1)
rrbranco
Collaborator
Collaborator
‎2021-10-19 07:13 AM
In response to the_rock
Jump to solution

Perhaps the hardware discovery process was a little bit different on each box.

 

try  :

 

"  tail -f /var/log/messages* | grep -i eth "  and remove cables (one at a time) or shutdown the corresponding port on the switch side (one at a time) .

 

verify if the interface that goes down is what you are expecting.

 

If it does not matches, see if you can try the following:

 

sk69621 - How to change interface naming on Open Servers running Gaia OS
reorganize the cables to match the naming decided by the OS after the hardware discovery 

View solution in original post

0 Kudos
(1)
7 Replies
_Val_
Admin
Admin
‎2021-10-19 01:42 AM
Jump to solution

Does the second node have any policy installed? Check it is not an initial policy. Also, unload, before you push the new one.

fabiofabio
Collaborator
‎2021-10-19 02:46 AM
In response to _Val_
Jump to solution

since i can't access the webUI, i looked for the commands to manage the policies from the cli but i found almost nothing. I tried with the command fw unloadlocal and then with the command fw fetch local but with both I had no luck.

0 Kudos
_Val_
Admin
Admin
‎2021-10-19 02:55 AM
In response to fabiofabio
Jump to solution

Make sure you are on the same network as the node, run "fw unloadlocal" and check the connectivity again. If it does not work, there is something wrong with the box.

rrbranco
Collaborator
Collaborator
‎2021-10-19 03:51 AM
Jump to solution

Note that the interface name order is not the same on both nodes.

 

Are the interfaces mapped correctly according to the phisical position and their names/aliases ?

 

I mean:

does phisical interface X really corresponds to ethX ?

does phisical interface Y really corresponds to ethY ?

 

Check cabling, unplug each by each one at a time and confirm that the one that goes down is really the desired one .

 

What about arp table ?  are they the same on the switch side ? 

 

Can you see correct / expected traffic on tcpdump and/or fw monitor ?

 

0 Kudos
(1)
the_rock
MVP Platinum
MVP Platinum
‎2021-10-19 06:27 AM
In response to rrbranco
Jump to solution

I was just about to send the same comment...thats a very good point. @fabiofabio , can you confirm what @rrbranco mentioned?

Andy

Best,
Andy
(1)
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-10-19 07:01 AM
In response to the_rock
Jump to solution

Try this in expert mode:

 

printf "%9s%13s%10s%8s%6s\n" "Interface" "Bus Addr" "PCI-ID" "Driver" "Link?";ifconfig -a | egrep "^[^ ]" | awk '{print $1}' | egrep -v "^(lo$|usb|bond[0-9\.]+|Mgmt\.[0-9]|eth[-0-9]+\.)" | xargs -n 1 -I @ sh -c 'printf "%9s" @;printf "%13s" $(ethtool -i @ | grep "bus" | cut -d" " -f2);printf "%10s" $(lspci -n | grep $(ethtool -i @ | grep "bus" | cut -d: -f3-4) | cut -d" " -f3);printf "%8s" $(ethtool -i @ | grep "driver" | cut -d" " -f2);printf "%6s" $(ethtool @ | grep "Link" | cut -d" " -f3);echo ""'

 

It prints the interface name, the PCIe address, the PCI ID (used to confirm the driver is correct), the driver name, and the link status of each physical interface. Example output:

 

[Expert@LabFW]# printf "%9s%13s%10s%8s%6s\n" "Interface" "Bus Addr" "PCI-ID" "Driver" "Link?";ifconfig -a | egrep "^[^ ]" | awk '{print $1}' | egrep -v "^(lo$|usb|bond[0-9\.]+|Mgmt\.[0-9]|eth[-0-9]+\.)" | xargs -n 1 -I @ sh -c 'printf "%9s" @;printf "%13s" $(ethtool -i @ | grep "bus" | cut -d" " -f2);printf "%10s" $(lspci -n | grep $(ethtool -i @ | grep "bus" | cut -d: -f3-4) | cut -d" " -f3);printf "%8s" $(ethtool -i @ | grep "driver" | cut -d" " -f2);printf "%6s" $(ethtool @ | grep "Link" | cut -d" " -f3);echo ""'
Interface     Bus Addr    PCI-ID  Driver Link?
     eth0 0000:07:00.0 8086:150c  e1000e    no
     eth1 0000:02:00.0 8086:150c  e1000e   yes
     eth2 0000:03:00.0 8086:150c  e1000e    no
     eth3 0000:04:00.0 8086:150c  e1000e    no
[Expert@LabFW]#

 

Make sure the interface names and the PCIe addresses match between boxes. If they don't, you can use /etc/udev/rules.d/00-OS-XX.rules to rearrange the names, as described in sk69621.

0 Kudos
(1)
rrbranco
Collaborator
Collaborator
‎2021-10-19 07:13 AM
In response to the_rock
Jump to solution

Perhaps the hardware discovery process was a little bit different on each box.

 

try  :

 

"  tail -f /var/log/messages* | grep -i eth "  and remove cables (one at a time) or shutdown the corresponding port on the switch side (one at a time) .

 

verify if the interface that goes down is what you are expecting.

 

If it does not matches, see if you can try the following:

 

sk69621 - How to change interface naming on Open Servers running Gaia OS
reorganize the cables to match the naming decided by the OS after the hardware discovery 

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events