Issues with SMS running R80.20M1

**PeterSmith78** · 2019-12-30

Hi All, Hoping that you are enjoying the Festive Season.

We have the following environment:
A cluster of 4 x Gateways (Open Servers) running Gaia R80.20
A Primary and a Secondary Security Management Server (Open Servers) running Gaia R80.20M1.
(We discovered that this is not a supported configuration as we should not use R80.20M1 management servers
to manage R80.20 gateways. However this configuration has been working OK for around a year).

We had an issue whereby we couldn't connect to the Primary SMS via Smart Console.
We opened a TAC case with Checkpoint but they made the issue worse by making a change to the Secondary so that it no longer Synchs with the Primary.
(I'm not exactly sure what they did, they made the change without asking me if I'd taken a Snapshot and unfortunately I hadn't).

So I'm now in a position where I've got:
A Primary R80.20M1 SMS (which I can't connect via Smart Console but can connect to with SSH) to with an out of date rulebase.
A Secondary R80.20M1 SMS which is working OK with an up to date rulebase.
I've built two completely NEW open servers and installed Gaia R80.20 on them. I've built one as Primary and one as a secondary
(with the same IP addresses as the existing SMS's).
I have tried taking a migrate export from the existing R80.20M1 Primary SMS (albeit with an out of date rulebase) and importing this onto the new server
which I built as an R80.20 Primary SMS. However this produces error messages which Checkpoint's R+D department are still investigating.

So anyway my question is, can I do the following? :
1) Upgrade the existing R80.20M1 Secondary server to R80.20M2.
2) Upgrade the new server which I've built as a Secondary SMS from R80.20 to R80.20M2.
3) Export the database from the old Secondary SMS to the new Secondary SMS.
4) Promote this new Secondary SMS to be the primary.
5) Install the other new server as an R80.20M2 SMS secondary and synch it to the new primary.
(I have put this idea to Checkpoint but they say they don't recommend it because R80.20M2 is apparently "unstable").
I would very much welcome any ideas. Perhaps you would recommend a completely different course of action but please let me know your opinion.
Many thanks in advance.

**Bob_Zimmerman** · 2019-12-30

Who said managing R80.20 firewalls from an R80.20M1 SmartCenter isn't supported? That doesn't sound right at all. Last I heard, managing R80.20 firewalls from R80 (no dot) is supported, you just don't get any of the new R80.20 firewall features.

R80.20M1 is a later feature release than R80.20, so it doesn't surprise me that the configuration can't be imported from M1 onto R80.20.

I would try to stabilize the existing primary SmartCenter. If the change to your secondary SmartCenter was not your doing, you're almost certainly safe to just overwrite the secondary with the database from the primary once you get it back up.

What does SmartConsole do when you try to connect?

Are you able to connect with the API locally on the box? 'mgmt_api login -r true | tee sessionCookie.txt' should tell you. If it doesn't throw an error, you can log out afterwards with 'mgmt_api -s sessionCookie.txt logout'.

What does 'cpwd_admin list' say?

Do you see any core dumps in /var/log/dump/usermode?

**PeterSmith78** · 2020-01-02

Firstly thanks very much for taking the time to reply.
I was told by one of my senior colleagues that R80.20 was a later version than R80.20m1 but it seems this isn't actually the case from what you say.
I'm surprised that the three Checkpoint TAX engineers that I've been speaking to couldn't tell me that as it would have saved me a lot of time.

Anyway I logged onto the primary R80.20M1 management server to run the troubleshooting commands which you mentioned. However, to my surprise, I find that I actually CAN now connect to this R80.20M1 management server using Smart Console, so it seems to have rectified itself without any intervention (although I don't know how stable the server is).

So I've now got a slightly different issue: I've got an out of date primary management server (R80.20M1) and an up to date secondary management server (R80.20M2).
Checkpoint have made some changes to the secondary management server so that there is no longer a trust relationship between the primary and the secondary.
As soon as the primary comes online it seems to revoke the certificate of the secondary. The secondary then goes down and I have to shut down the primary and revert to a snapshot on the secondary to get it working again.

Do you know if there's any way to restore the trust relationship between the primary and the secondary and then to replicate the up-to-date database from the secondary to the out-of-date primary?
I suspect there isn't and I will therefore have to reset sic the secondary and then replicate the out-of-date database from the primary to the secondary and then bring the database up to date manually which will take a long time. If you know of a better way then this would be much appreciated!
Thanks again.

**Bob_Zimmerman** · 2020-01-02

Sounds like at this point, your best bet is to treat it as a completely failed primary SmartCenter. I don't know the process for R80-family management off the top of my head, but support should definitely be able to help. This is a much simpler problem than fixing a broken thing in-place.