CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Gateway loses state table on policy install

  1. #1
    Join Date
    2010-09-30
    Posts
    1
    Rep Power
    0

    Default Gateway loses state table on policy install

    I have two R75.47 Gaia clusterxl ha clusters which are both installation targets for the same firewall policy. It started intermittently but now every time I install policy it get dropped out-of-state packets (src port = 80,443,etc or "First packet isn't SYN"). TAC has already acknowledged that this must be a bug but closed my case after they failed to recreate it in the lab.

    I've checked the usual suspects:
    "keep all connections" is set
    cluster state is frozen during policy install so cluster is no failing over during policy install (this is default on R75.47)

    I tried installing the latest Check Point Jumbo Hotfix for R75.47 on management and gateways, issue still present.
    I tried running a migrate export on my r75.47 management and imported into a clean install of R77.20, issues still present.

    Blades: FW, VPN, IPS, AV, ABOT, APCL, IA
    Open Server (Dell R710)
    SecureXL & CoreXL enabled

    I will be re-opening my case with TAC but I wanted to see if anyone has experienced something like this before. Any suggestions?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Gateway loses state table on policy install

    Quote Originally Posted by sleith View Post
    I have two R75.47 Gaia clusterxl ha clusters which are both installation targets for the same firewall policy. It started intermittently but now every time I install policy it get dropped out-of-state packets (src port = 80,443,etc or "First packet isn't SYN"). TAC has already acknowledged that this must be a bug but closed my case after they failed to recreate it in the lab.

    I've checked the usual suspects:
    "keep all connections" is set
    cluster state is frozen during policy install so cluster is no failing over during policy install (this is default on R75.47)

    I tried installing the latest Check Point Jumbo Hotfix for R75.47 on management and gateways, issue still present.
    I tried running a migrate export on my r75.47 management and imported into a clean install of R77.20, issues still present.

    Blades: FW, VPN, IPS, AV, ABOT, APCL, IA
    Open Server (Dell R710)
    SecureXL & CoreXL enabled

    I will be re-opening my case with TAC but I wanted to see if anyone has experienced something like this before. Any suggestions?
    Do you have any control/wrench events showing up in the SmartView Tracker during a policy install?

    Try this: completely power off one of the members, the surviving member will go into an "Attention" state which is fine and it will still pass traffic. Install policy to the cluster, being sure to uncheck the box "if policy installation fails on one member, do not install at all". Do you still see the messages?

  3. #3
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    16

    Default Re: Gateway loses state table on policy install

    Quote Originally Posted by sleith View Post
    TAC has already acknowledged that this must be a bug but closed my case after they failed to recreate it in the lab.

    I will be re-opening my case with TAC but I wanted to see if anyone has experienced something like this before. Any suggestions?
    Ouch, sorry to hear they closed the ticket simply because they couldn't understand the issue.

    Have you done anything to minimize the load on the gateways? Specifically to traffic that gets synced? I know it sounds weird, but the less busy your sync network is, the easier it is for the clusters to accept a new policy.
    Its all in the documentation.

  4. #4
    Join Date
    2014-01-23
    Posts
    28
    Rep Power
    0

    Default Re: Gateway loses state table on policy install

    i've seen it sometimes if you have multiple clusters in the same environment. If so , change the mac magic and forward magic parameters (sk25977). Also if you have dynamic routing enabled and not being used, i would turn that off. Also, try pushing policy to each member individually (bring down one member) and see if you experience the same issue.

Similar Threads

  1. Replies: 0
    Last Post: 2011-10-20, 03:28
  2. Difference between connection table and state table
    By mvbhaskar in forum Miscellaneous
    Replies: 3
    Last Post: 2011-08-09, 14:37
  3. Gateway connection lost during policy install
    By quartino in forum SmartDashboard
    Replies: 3
    Last Post: 2010-08-02, 02:18
  4. fw1-tool.pl and vsx / connection/state table
    By gnujuba in forum VPN-1 VSX
    Replies: 3
    Last Post: 2009-04-03, 01:19
  5. State table
    By dew1902 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2007-06-01, 04:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •