CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Management High Availability
Peer not reachable management HA Peer not reachable management HA
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-07-18
Junior Member
  
Join Date: 2006-07-18
Posts: 10
Rep Power: 0
greyfeld has an average reputation (10+)
Default Peer not reachable management HA
Wanted to share my recent experience since there didn't seem to be a whole lot out there about this issue. It ended up being a "try this" and it worked kind of episode. So here goes:

I had inherited a primary and secondary Smart Center Server running R55. The secondary was not syncing with the primary. The secondary showed as unreachable in the Policy | Managment High Availability screen. When I would try to manually sync, I would get the error that the peer was not reachable. It showed it was synchronized on this screen, but a visit to the secondary server showed policies hadn't updated in a long time.

To make a long story short, it turned out the $FWDIR/conf/mgmtha.conf and $FWDIR/conf/mgmtha_stack files were to blame. The mgmtha.conf file on the secondary server existed, but was 0 bytes. The primary one looked ok. The process to fix this problem follows:

1. Backup the mgmtha.conf and mgmtha_stack files on both SMS boxes.
2. Perform a cpstop on both servers.
3. Delete the mgmtha.conf and mgmtha_stack files on both boxes.
4. Perform a cpstart on both servers.
5. The restart regenerates the files on both servers.

After doing this, the status showed as reachable and not sychronized. Performing a manual sync worked and now the updated policies all appear on the secondary server.

As a side note, one indicator that your Management HA configuration isn't working, is if you try logging into the Smart Dashboard on the secondary server and you are not asked if you want to take it from standby to active or read-only. When it was broken, this pop-up box never appeared when we would log onto the secondary server and it acted just like a primary server. Another indicator of the problem was seen in the audit log whenever a policy was modified and you have automatic sync turned on. The audit log would show that the peer did not syncronize when the policy was saved.

Hope this helps someone else as the information out there at Checkpoint and stuff found via Google was not very helpful!
Reply With Quote
  #2 (permalink)  
Old 2006-07-19
Member
  
Join Date: 2006-07-10
Location: Germany
Posts: 42
Rep Power: 0
jacobsen has an average reputation (10+)
Default Re: Peer not reachable management HA
thanks a lot for your howto.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 05:55.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0