ClusterXL incorrectly says interface is disconnected

[jmcgrady]

I'm running R60 hfa3 on Secureplatform. All is well except that Clusterxl is incorrectly reporting the status for two interfaces (6 total) on both cluster nodes. cphaprob -a if reports eth3 and 3th5 as disconnected, non sync (non secured). However i can ping devices on that interfaces subnet. The OS is happy that the interface is up, why would clusterxl report it as down?

Ive checked topology and netmasks in the cluster object. All looks correct.

[jmcgrady]

Found the issue. There was an old conf/discntd.if file listing the effected interfaces. Deleting that fixed the problem.

[Praetorio]

Hi.



Unix/Linux:
-------------
1) Run "cpstop".
2) Edit "$FWDIR/conf/discntd.if" with the names of the disconnected interfaces.

NOTE:
If "discntd.if" does not exist you will need to create it.

EXAMPLE:
eth4
eth5
eth6

3) Save changes.
4) Reboot firewall.
5) Repeat the same actions for the other Enforcement Module(s) in the cluster.

[cciesec2006]

You only need to do this IF you're running NG with AI R55 or lower.
Checkpoint NGx R60 suppose to fix this.

my advise is to open a TAC case with Checkpoint.

[Praetorio]

Yes, only R55 and lower version, but you can check this procedure for this products and components:VPN-1 Pro/Express NGX R60
VPN-1/FireWall-1 NG with AI R55 HFA_14 and higher ,VPN-1 VSX NGX R60,
ClusterXL Load Sharing mode ,ClusterXL High Availability

In Secure Knowledge can you search for sk31336 -Enabling / Disabling the MILS Feature

[chillyjim]

Quote:

Originally Posted by cciesec2006

You only need to do this IF you're running NG with AI R55 or lower.
Checkpoint NGx R60 suppose to fix this.

The file is no longer required in R60 and latter, but it is still supported.
e.g. if the interface is listed, it will not be monitored.