NOKIA IP 2450 Rebooting-NEED HELP ASAP

[CPone]

Dears
i have setup 2 * IP2450 in cluster mode, everything was working fine, before putting them into production, the HA ports are connected to a cisco switch.
suddenly the boxes are rebooting every 5 minutes, any clue?

the boxes have R62 with IPSO 4.2, same versions as they came from manufacturer, and i have installed the R65 for the smartcenter.

please advise

[mcnallym]

Is there anything in the log files of the box, failing that I would raise a call with Nokia.

messages file in /var/logs/

[chuachongchee]

hmm... funny... lol

Are you using ClusterXL or Nokia VRRP??

What happens if you change them to each standalone? DO they still reboot constantly?

[CPone]

Well

i reviewed the logs from the voyager, there is not much,
and then i was checking what i have done before the boxes started rebooting,
i found that i have enabled any any traffic to allow , the last rule, then i made it "drop" and since 10 min, the boxes are not rebooting, i don't know if this is the problem, i am still testing now

Regards

[CPone]

Quote:

Originally Posted by chuachongchee

hmm... funny... lol

Are you using ClusterXL or Nokia VRRP??

What happens if you change them to each standalone? DO they still reboot constantly?

i m using IP clustering, i did not try to check each box at a side, since i changed the last rule and doing my tests again.

[chuachongchee]

Quote:

Originally Posted by CPone

Well

i reviewed the logs from the voyager, there is not much,
and then i was checking what i have done before the boxes started rebooting,
i found that i have enabled any any traffic to allow , the last rule, then i made it "drop" and since 10 min, the boxes are not rebooting, i don't know if this is the problem, i am still testing now

Regards

Hmm.. u mean you have one rule allow any any, and the next drop any any??

Wont this not allow you to install since theres a policy conflict... prior to your changes... any issues when installing policy?? Warnings? Errors??

[CPone]

Quote:

Originally Posted by chuachongchee

Hmm.. u mean you have one rule allow any any, and the next drop any any??

Wont this not allow you to install since theres a policy conflict... prior to your changes... any issues when installing policy?? Warnings? Errors??

the last rule should be drop any any, i changed it to allow any any, and since then the boxes were rebooting, when i reverted back to drop any, the boxes are working fine...

[chuachongchee]

Quote:

Originally Posted by CPone

the last rule should be drop any any, i changed it to allow any any, and since then the boxes were rebooting, when i reverted back to drop any, the boxes are working fine...

Hmm... doesnt sound logical though.... if rulebase was indeed the culprit.. we should see cpu 100% or the box died.. and not rebooting which we saw..

[RayPesek]

Quote:

Originally Posted by CPone

the last rule should be drop any any, i changed it to allow any any, and since then the boxes were rebooting, when i reverted back to drop any, the boxes are working fine...

Depending on what, if anything, you were dropping further up in the rule base, your firewall and internal network could have been wide open to the Internet and getting hit with who-knows-what.

Ray

[chuachongchee]

Quote:

Originally Posted by RayPesek

Depending on what, if anything, you were dropping further up in the rule base, your firewall and internal network could have been wide open to the Internet and getting hit with who-knows-what.

Ray

hmm... high chance too... anything in /var/log/messages??

[chrissamuel]

Quote:

Originally Posted by CPone

i m using IP clustering, i did not try to check each box at a side, since i changed the last rule and doing my tests again.

You might find it is an ip clustering thing, especially if the switch doesn't support the clustering mode you are using. Maybe take one node out of the cluster and see if you get the same issue.

[CPone]

Quote:

Originally Posted by chuachongchee

Hmm... doesnt sound logical though.... if rulebase was indeed the culprit.. we should see cpu 100% or the box died.. and not rebooting which we saw..

i did not see any cpu 100 %, once i reverted back to drop, it worked, note that i was doing all testing in staging area

[CPone]

i had a downtime yesterday to put the wo nokia IP 2450 into production, once i plugged all cables to the new boxes, they started to restart, whenever the traffic was passing through the boxes, they were restarting, i removed one box from the cluster, and it was the same, once the box sees the traffic it rebbots,
please found the following errors logs, which i think are the problem and i need to know how to solve it:

Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: Note: FW SXL Ver: 222050328, IPSO SXL Ver: 255061120
Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: FW-1: Nokia IPSO SecureXL device detected.Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: FW-1: SecureXL: Connection templates are not possible for the installed policy. Please refer to the documentation for further details.Feb 16 03:21:46 QR-FW1 [LOG_CRIT] kernel: rtm driver loadable interface called.
Feb 16 03:21:47 QR-FW1 [LOG_NOTICE] pm[134]: Reaped: S99cpboot[268]
Feb 16 03:21:47 QR-FW1 [LOG_NOTICE] pm[134]: Program S99cpboot is finished.

please advise

[chuachongchee]

Quote:

Originally Posted by CPone

i had a downtime yesterday to put the wo nokia IP 2450 into production, once i plugged all cables to the new boxes, they started to restart, whenever the traffic was passing through the boxes, they were restarting, i removed one box from the cluster, and it was the same, once the box sees the traffic it rebbots,
please found the following errors logs, which i think are the problem and i need to know how to solve it:

Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: Note: FW SXL Ver: 222050328, IPSO SXL Ver: 255061120
Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: FW-1: Nokia IPSO SecureXL device detected.Feb 16 03:21:27 QR-FW1 [LOG_CRIT] kernel: FW-1: SecureXL: Connection templates are not possible for the installed policy. Please refer to the documentation for further details.Feb 16 03:21:46 QR-FW1 [LOG_CRIT] kernel: rtm driver loadable interface called.
Feb 16 03:21:47 QR-FW1 [LOG_NOTICE] pm[134]: Reaped: S99cpboot[268]
Feb 16 03:21:47 QR-FW1 [LOG_NOTICE] pm[134]: Program S99cpboot is finished.

please advise

I remember one of my users were mentioning about disabling nokia flows? Not sure if that helps.

Another thing... Did you enable SecureXL? Not soo sure, but my understanding is that Nokia boxes come with onboard acclerator cards and do not need SecureXL? Check that both on Nokia box and Dashboard are both on or off, and the appropriate license is there??

[CPone]

Quote:

Originally Posted by chuachongchee

I remember one of my users were mentioning about disabling nokia flows? Not sure if that helps.

Another thing... Did you enable SecureXL? Not soo sure, but my understanding is that Nokia boxes come with onboard acclerator cards and do not need SecureXL? Check that both on Nokia box and Dashboard are both on or off, and the appropriate license is there??

how to disable the nokiA FLOws, and how to check the SecureXL option,
i opened anotther thread in the licensing section about the license, because i have an error on both nodes about the clusterXL, and i want to know what exactly the required licenses that should be installed on the smartcenter, knowing that i have two nokia in IP clustering, IPSO4.2, NGX r62 and smartcenter ngx r65

[chuachongchee]

Quote:

Originally Posted by CPone

how to disable the nokiA FLOws, and how to check the SecureXL option,
i opened anotther thread in the licensing section about the license, because i have an error on both nodes about the clusterXL, and i want to know what exactly the required licenses that should be installed on the smartcenter, knowing that i have two nokia in IP clustering, IPSO4.2, NGX r62 and smartcenter ngx r65

Sorry man... about the nokia flows thingy.. i'm really not too sure.. i'm not a nokia kinda guy.. hehe...

On the SecureXL portion... check in the firewall unit.. run cpconfig... see if performance pack or securexl is enabled or not.... not too sure for nokia... check if you have enabled state sync or ha for nokia too...

For license... you should be configured on the mgmt server that this is a 3rd party cluster... in the firewall object, under "configured products", uncheck securexl and cluster xl...., next, on the clusterxl portion or something.. (cant remember.... i dont have a gui with me atm)... change the HA to Nokia VRRP... the other settings can leave default... then install policy..

On license portion, you'll need 2 gateway license, one VPN1-Power/UTM license, and a HA gateway license... You'll need the managment server to be able to manage the gateways too... check how many sites you can manage on the mgmt server, one site = one gateway..

Be sure the backup everything, your firewall, mgmt server b4 making any changes.. haha.. play safe and be cautious...