Strange output from cphaprob state !

[tangerine0072000]

I have a pair of Nokia's IPSO 4.1 & NGX R60 HFA04 running VRRP. The VRRP config is fine and the appropriate master and backup ip addreses, but when I run a 'cphaprob state' from each box, each firewall thinks the other one is down.

The output from the cphaprob state is below

Primary Firewall cphaprob state output
Number Unique Address Firewall State (*)

1 (local) 172.16.10.11 active
2 172.16.10.12 down


Secondary Firewall cphaprob state output
Cluster Mode: Sync only (IPSO cluster))

Number Unique Address Firewall State (*)

1 172.16.10.11 down
2 (local) 172.16.10.12 active

has anyone experienced this ?

[kva.kva]

I think, we need more information

for example, output
cphaprob -a if
cphaprob -i list

[tangerine0072000]

This is the output from primary and secondary firewalls.....

PRIMARY FIREWALL OUTPUT

cphaprob -a if

eth-s1/s2p1c0 sync(secured), multicast
eth-s2/s2p1c0 sync(secured), multicast
eth-s1/s2p2c0 non sync(non secured)

Virtual cluster interfaces: 2

eth-s1/s2p1c0 172.16.10.10
eth-s1/s2p2c0 10.16.10.10


cphaprob -i list

Built-in Devices:

Device Name: IPSO member status
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 3819.3 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 3811.5 sec

Device Name: cphad
Registration number: 2
Timeout: 5 sec
Current state: OK
Time since last report: 0.2 sec

Device Name: fwd
Registration number: 3
Timeout: 5 sec
Current state: OK
Time since last report: 0.3 sec

SECONDARY FIREWALL OUTPUT
cphaprob -a if

eth-s1/s2p1c0 sync(secured), multicast
eth-s2/s2p1c0 sync(secured), multicast
eth-s1/s2p2c0 non sync(non secured)

Virtual cluster interfaces: 2

eth-s1/s2p1c0 172.16.10.10
eth-s1/s2p2c0 10.16.10.10

NGMIOF2[admin]# cphaprob -i list

Built-in Devices:

Device Name: IPSO member status
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 4324.1 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 4316.1 sec

Device Name: cphad
Registration number: 2
Timeout: 5 sec
Current state: OK
Time since last report: 0.3 sec

Device Name: fwd
Registration number: 3
Timeout: 5 sec
Current state: OK
Time since last report: 1.1 sec

[northlandboy]

Is s1/s2p1c0 meant to be both a cluster and a synchronisation network?

Or are you only meant to use s2/s2p1c0 for sync?

Check the output of fw ctl pstat several times on both nodes, check to see if sync packets sent and received are increasing on both.

Check fw tab -t connections -s, see what you see there.

If you do a cpstop;cpstart on the secondary, do you see messages on the primary about serving as a full sync server?

[tangerine0072000]

In NGX R60 you can define more then one interface as a 'Sync' interface. I had this problem when having only one sync interface anyway. I added a 2nd interface to see if this would resolve the problem, but it didn't.

I will give the other commands a whirl and post back the response.

[tangerine0072000]

thanks all !

I managed to resolve my problem by changing the sync mode from Multicast to Broadcast. This is probably because my sync interface is connect via a switch and not cross-over cable. I entered the following.

cphaconf set_ccp broadcast
cpstop
cpstart

then both show as active...cool !

[mulox]

Hi.
I had the same problem, same cphaprob state output.
One of the Nokia (the secondary) had lost the ntp configuration and it was showing year 1980...
Setting the ntp again solved the problem.

Bye
Massimo

[Sidney]

Quote:

Originally Posted by tangerine0072000

thanks all !

I managed to resolve my problem by changing the sync mode from Multicast to Broadcast. This is probably because my sync interface is connect via a switch and not cross-over cable. I entered the following.

cphaconf set_ccp broadcast
cpstop
cpstart

then both show as active...cool !

Hi,

Let me guess: you are using a Cisco switch with a specific VLAN for sync ?
If yes, you need to configure your switch to make multicast work.

Here is the link :
http://www.cisco.com/en/US/partner/p...8059a9df.shtml

You can also refer to Checkpoint's clusterXL guide.

Sidney