Smartview monitor - 1 gateway disconnected

[joeri]

Hi,

we have 1 firewall which stays disconnected in smartview monitor, analysis:
- mgmt traffic allowed in policy
- policy push is OK
- SIC is OK
- logs are OK
- with netstat mgmt ports are listening
- when doing fw monitor we see firewall sending resets back to the mgmt, however not able to find the cause of those resets...

has anybody an idea what the problem could be ?

thanks !!!

[AB2AB2]

I rise this ancient question up. I have the same trouble. My Edges show wrong "Disconnected" status. First, one of my Edges goes wrong, and two days later - the second. And I can work with sites that protected by this "disconnected" Edges, so they are really connected.

Other modules (SPLAT) show themselves right.

Version of CheckPoint - last actual R65 HFA02 + known fix for Edges.

[dinesh_ymca]

Hi,
You are seeing the gateway as discinnect right from the beginining or was it happned after doing some configuration chnage. You can try cpstop and cpstart on that gateway which sometimes solved the problem.
Best Regards
Dinesh
The world of technology
(good technical articles)

[foyster]

I have seen a similar issue under SPLAT R65 v2.6 and Smart view Monitor. It seems that When a cluster is under a bit of load that SVMonitor says that the FW is discosnnected. When the load goes away all is OK.

I have opened a TAC case and I am awaitng a reply.

[lammbo]

I am also experiencing this with R65 (2.6) Gateways in HA. I do not believe that load has anything to do with this.

SCS is R65 HFA_02 (HA), GUI Client is R65 HFA_01

I have 2 sites exhibiting this behavior: Both sites are New Mode ClusterXL and cluster recovery behavior is set to Maintain current active Cluster Member.

Site 1 The hardware at this site is Dell and all components are on the HCL.
Is a new site I am cutting to (from PIX) on 11 Oct - i.e. there are only 20 or so connections on the cluster at this time, no vpn tunnels, no clients, etc. I just built these gateways 3 days ago.

Yesterday, fw2 showed in SVM as 'device disconnected'. A quick SSH session in expert mode and I discovered the results of the 'uptime' command showed 3 day, which was accurate. Without me changing a thing, the gateway came back on SVM several hours later and displayed an uptime as if it had rebooted.

A quick review of the firewall logs showed this gateway was never down. I saw my SPLAT GUI traffic and my SSH traffic, as well as traffic from SCS during the period it showed as disconnected - including the policy push that was successful during this supposed outage. The gateway was never down, fail over never occurred.


Site 2 The hardware at this site is HP and all components are on the HCL.
Is in Vancouver and has been live for months now. It is very low volume and usually has 500 to 1000 connections, somewhere around 20 tunnels to other gateways managed by the same SCS and is also running in HA.

2 days ago, fw1 showed as disconnected and the same type of testing as site 1 revealed exactly the same results. The gateway was never down but was th passive gateway.


Additional info:
I also have a single gateway test site running R65 (2.6). At this site, SVM will sometimes display 100% CPU usage in the Gateway status GUI. However, displaying system information details on this gateway will reveal the proper CPU utilization status of 1%. An SSH session and displaying TOP confirms this, meaning only the CPU usage graph is incorrect.


Conclusions so far:
Active/Passive status is not a factor
Hardware is most likely not a factor
SVM Gateway Status GUI is most likely bugged when operating with R65 (2.6) Gateways since system details within SVM displays the correct information, confirmed via SSH on the gateway.

[foyster]

I have raised a Checkpoint call regarding R62 2.6 Smart View monitor displaying 100 % CPU usage and / or in some cases the FW as disconnected.

Checkpoints response is “the issue is connected to multi cpu of firewalls.” And “This issue is currently investigated by R&D.”

[melipla]

Quote:

Originally Posted by foyster

I have raised a Checkpoint call regarding R62 2.6 Smart View monitor displaying 100 % CPU usage and / or in some cases the FW as disconnected.

Checkpoints response is “the issue is connected to multi cpu of firewalls.” And “This issue is currently investigated by R&D.”

I'm having the same issue with an R65 kernel 2.6 gateway, the CPU stays at 100%. Did they provide you with a hotfix?

[foyster]

No hotfix as yet, but Checkpoint have been great at sending a weekly status update on the call.

The last response from them is "Our programmers involved into this issue. As we have a couple similar cases, we analyzing all the details and debugs in order to find root of our issue."


Will advise Cpug when a fix is available

[napalm255]

We too have a very similar situation. We've got a SPLAT 2.6 Cluster running R65 (with stock HFA_02) and a management server running R65 with HFA_30. The cluster is fine and we can fail over from one to the other with no apparent issues. We can push rules to SPLAT and traffic flows just fine. We also have a down level R55 single instance server (non-cluster) that is also handled by the same management server.

Every now and then we get an alert saying that one of the members has been disconnected (on the cluster as well as the non-clustered server). This alert does not seem to cause any functionality issues for us. Although not every instance, on occasion it pops up when we open the Dashboard/Monitor/etc. At other times it seems completely random. We've had these alerts occur after hours at 3AM and 5AM when there is almost no traffic.

We have an open support case with checkpoint and the guy seems to think it's SmartCenter related, which at this point I think I'd have to agree - but what? Our support contact hasn't mentioned anything about a current issue being researched, though maybe he hasn't asked the right people yet.

I take it no one has had any luck addressing this issue and we all await checkpoint?? :(