HFA-04 install broke my cluster

[karimi]

Hello,

I have 2 Nokia running in Load-Sharing config. I installed Checkpoint HFA-04 on my Mgmt Stn, and then installed it on one of the cluster members. FW#2 was taking the traffic while I was making the change on FW#1 - so no interruption - everything went fine, and it asked me to reboot at the end of the install, I did that, and it came back up - I pushed the policy to it, and install was fine.

However, I noticed in the logs that FW#2 was still primary and taking the traffic, and FW#1 wasn't logging. Upon doing cphaprob stat, i see FW#1, the one I had applied HFA04 to, was marked as cluster state=down. I tried to join the Cluster again in Voyager by putting in FW#2 IP, but it refused to join, with the error "firewall-1 must be running on both nodes before cluster" or something to that effect.

I had to uninstall HFA-04 on FW#1 and go back to NGX60 and then it was fine.

What happened? I can't upgrade now because it seems to break the cluster. Someone said it's because both FWs need to be at HFA-04, but i'm very hesistant to work on the active FW in case it breaks it too!

Any advice appreciated

~k

[MarioL]

OK, probably not what you want to hear now, but here is what I would do:

1 - Upgrade mgmt (you have done this)
2 - Upgrade 1 node (you chose node A, I would probably chose node B, but it's pretty much irrelevant tbh)
3 - Get the upgraded module handling traffic (turn off node B ofc)
4 - When you are fairly satisfied that the upgraded fw is fine go to step 5
5 - Upgrade 2nd node
6 - Test node 2 and then the full cluster and fail-overs

[karimi]

Mario

There is a misunderstanding. I followed those steps. Please re-read my note carefully. By the way, I'm using Load Sharing, not High Availability.

I am saying whichever node you do, A or B, the cluster state is DOWN. So you can't turn off the other working node if the other member of the cluster is in a down state.

It seems after installing HFA-04 on the cluster member, and after reboot, even after pushing policy to it, it keeps the cluster state=DOWN.

~k

[MarioL]

I haven't done cluster upgrades for a while now, but if memory serves, you will need to turn off the old node to get the upgraded one to work. Otherwise the broadcasts will probably create issues.

I bet that if you turn off node B and reboot node A, it will come back up as active. I know it will cause downtime... which might not be acceptable.

Have you tried to force the state to up on the upgraded node?
I can't remember the command now, but it's not the "cphaprob state", it's the other one.

One test you can do is:
- connect all of the upgraded node's nics to dif switches, so they don't interfere with the other node and boot it, check if it boots as up.

[karimi]

Mario

Thanks - i think you mean the cluster command "set_ccp broadcast" ?

I am just wondering what it is with HFA-04 that broke the cluster. I read the release notes for installation, and it doesn't mention that I have to do anything with the cluster, or that having one cluster member at HFA-04 and the other and NGX would cause a problem.

~k

[MarioL]

Think so.

I don't think it's a HFA04 thing, more like a Check Point thing about dif versions and cluster node status really. I don't think I ever saw 2 nodes with dif HF levels both up tbh.