CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: "Active Attention" and mismatched "Required interfaces"

  1. #1
    Join Date
    2009-01-13
    Posts
    4
    Rep Power
    0

    Default "Active Attention" and mismatched "Required interfaces"

    I have a two node R65 active/standby cluster that has just started to misbehave today.

    "cphaprod state" on the active node show the active attention message, while the standby looks fine.

    I have narrowed the problem down to a mismatch in the number of required interfaces that "cphaprob -a if" shows

    Node A
    Required interfaces: 11
    Required secured interfaces: 1

    sit0 DOWN (51.2 secs)non sync(non secured), broadcast
    eth0 DOWN (51.2 secs)non sync(non secured), broadcast
    eth1 UP non sync(non secured), multicast
    eth2 UP non sync(non secured), multicast
    eth3 UP non sync(non secured), multicast
    eth4 UP sync(secured), multicast
    eth6 DOWN (51.2 secs)non sync(non secured), broadcast
    eth7 DOWN (51.2 secs)non sync(non secured), broadcast
    eth8 DOWN (51.2 secs)non sync(non secured), broadcast
    eth9 UP non sync(non secured), multicast
    eth5 UP non sync(non secured), multicast (eth5.3 )

    Node B
    Required interfaces: 6
    Required secured interfaces: 1

    sit0 DOWN (57.6 secs)non sync(non secured), broadcast
    eth0 DOWN (57.6 secs)non sync(non secured), broadcast
    eth1 UP non sync(non secured), multicast
    eth2 UP non sync(non secured), multicast
    eth3 UP non sync(non secured), multicast
    eth4 UP sync(secured), multicast
    eth6 DOWN (57.6 secs)non sync(non secured), broadcast
    eth7 DOWN (57.6 secs)non sync(non secured), broadcast
    eth8 DOWN (57.6 secs)non sync(non secured), broadcast
    eth9 UP non sync(non secured), multicast
    eth5 UP non sync(non secured), multicast (eth5.3 )


    Node B is correct, it only requires those 6 interfaces up.

    Any idea how I can force/fool Node A into behaving as it should?

  2. #2
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    14

    Default Re: "Active Attention" and mismatched "Required interfaces"

    You could try this:

    All interfaces that are not part of the ClusterXL topology should be defined in:
    $FWDIR/conf/discntd.if
    Its all in the documentation.

  3. #3
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    14

    Default Re: "Active Attention" and mismatched "Required interfaces"

    We have a lot problem with multicast mode for ccp.
    just suggestion change it to broadcast on both cluster members:
    cphaconf set_ccp broadcast

  4. #4
    Join Date
    2008-12-10
    Location
    New Zealand
    Posts
    2
    Rep Power
    0

    Default Re: "Active Attention" and mismatched "Required interfaces"

    Coincidently, we've seen the same issue on two separate (SPLAT) cluster instances recently, but seems to be only immediately after upgrading to R65 HFA50.
    On the host showing 'active attention' (with the wrong required interface count) doing cpstop; cpstart or cphastart/stop, or policy reinstall didn't help. Doing a reboot though did seem to resolve it. Not convinced it is resolved permanently though.
    We're also running in the default multicast mode.

  5. #5
    Join Date
    2011-04-18
    Location
    Mumbai, India
    Posts
    12
    Rep Power
    0

    Default Re: "Active Attention" and mismatched "Required interfaces"

    The required interfaces count mismatch among Checkpoint firewalls in a cluster is a known issue in Checkpoint UTM/SPLAT appliances/platforms.

    To avoid this issue, you have to disable the unused interfaces in both interfaces and reboot the firewall which is showing invalid values.

    For Ex.

    FW-A; cphaprob -a if

    Required interface count: 4

    FW-B; cphaprob -a if output

    Required interface count: 10

    in this disable the unsused interfaces on both FW-A and FW-B. Reboot the FW-B to bring in cluster with proper values.
    Last edited by clickmesri; 2012-08-21 at 10:39. Reason: signature change

  6. #6
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: "Active Attention" and mismatched "Required interfaces"

    A simple ifdown on the interfaces you're not using will suffice.

    ifdown eth7

    ifdown Lan3

    etc.

    Check netconf.C before and after.. you'll notice that the ":iff-up (1)" field changes.

    cat /etc/sysconfig/netconf.C

    This change does survive a reboot.

Similar Threads

  1. Replies: 3
    Last Post: 2012-03-29, 08:16
  2. Modules intermittently showing "Needs attention"
    By northlandboy in forum Provider-1 (Multi-Domain Management)
    Replies: 6
    Last Post: 2011-06-15, 17:10
  3. What is purpose of "edges" in "Objects" on a network object?
    By RayPesek in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 2
    Last Post: 2009-02-05, 12:55
  4. "fw stat" and "cpstat fw" show different time zones
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-10-24, 09:33
  5. Replies: 0
    Last Post: 2008-02-22, 03:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •