Checkpoint防火墙ClusterXL 故障之FIB Problem问题解决
办公网有两台CheckPoint防火墙做cluster的HA主备模式,Custer-HA出现故障现象如下(其中一台CP-248状态为down,一边CP-246为active),导致CP-246和CP-248的cluster的HA准备切换不成功。
[NJZQ-CP-248]# cphaprob statCluster Mode: New High Availability (Active Up)NumberUnique Address Assigned Load State1 19.19.19.246 100% Active2 (local)19.19.19.248 0% Down[NJZQ-CP-248]# cphaprob list //该命令非常有用,用于查找出CP防火墙cluster的监控的关键组件(cp称为Device)Built-in Devices:Device Name: Interface Active CheckCurrent state: OKRegistered Devices:Device Name: SynchronizationRegistration number: 0Timeout: noneCurrent state: OKTime since last report: 705.3 secDevice Name: FilterRegistration number: 1Timeout: noneCurrent state: OKTime since last report: 699.2 secDevice Name: cphadRegistration number: 2Timeout: 2 secCurrent state: OKTime since last report: 0.6 secDevice Name: fwdRegistration number: 3Timeout: 2 secCurrent state: OKTime since last report: 0.4 secDevice Name: FIBRegistration number: 4Timeout: noneCurrent state: problemTime since last report: 1 sec对应的CP-246的显示如下:[NJZQ-CP-246]# cphaprob statCluster Mode: New High Availability (Active Up)NumberUnique Address Assigned Load State1 (local)19.19.19.246 100% Active2 19.19.19.248 0% Down
并且发现对应的CP-246的cphaprob list显示并无异常,均为OK。[Expert@NJZQ-CP-246]# cphaprob listBuilt-in Devices:Device Name: Interface Active CheckCurrent state: OKRegistered Devices:Device Name: SynchronizationRegistration number: 0Timeout: noneCurrent state: OKTime since last report: 3077.4 secDevice Name: FilterRegistration number: 1Timeout: noneCurrent state: OKTime since last report: 3071.4 secDevice Name: cphadRegistration number: 2Timeout: 2 secCurrent state: OKTime since last report: 0.2 secDevice Name: fwdRegistration number: 3Timeout: 2 secCurrent state: OKTime since last report: 0.8 sec
发现以上的故障现象后,对CP-248的clusterXL进行重启如下:[NJZQ-CP-248]# expertEnter expert password:You are in expert mode now.[Expert@NJZQ-CP-248]# clusterXL_admin downSetting member to administratively downstate …Member current state is Down[Expert@NJZQ-CP-248]# clusterXL_admin up Setting member to normal operation …Member current state is DownOperation failed: member is still down, run ‘cphaproblist’ for further details重启后,仍然不成功。从网上找到解决方法:比较两台fw的cpconfig配置条目发现:[NJZQ-CP-246]# expertEnter expert password:You are in expert mode now.[Expert@NJZQ-CP-246]# cpconfigThis program will let you re-configureyour Check Point products configuration.Configuration Options:———————-(1)Licenses and contracts(2)SNMP Extension(3)PKCS#11 Token(4)Random Pool(5)Secure Internal Communication(6)Disable cluster membership for this gateway(7)Configure Check Point CoreXL(8)Automatic start of Check Point Products(9) ExitEnter your choice (1-9) :[NJZQ-CP-248]# expertEnter expert password:You are in expert mode now.[Expert@NJZQ-CP-248]# cpconfigThis program will let you re-configureyour Check Point products configuration.Configuration Options:———————-(1)Licenses and contracts(2)SNMP Extension(3)PKCS#11 Token(4)Random Pool(5)Secure Internal Communication(6) Disable Advanced Routing //注意到该部分为此防火墙和CP-246防火墙不一致的地方,且当前已经处于开启状态。(7)Disable cluster membership for this gateway(8)Configure Check Point CoreXL(9)Automatic start of Check Point Products(10) ExitEnter your choice (1-10) :6 //这里选择6,回车,将Advanced Routing 功能disable掉。Disable Advanced Routing…============================You have selected to disable advancedrouting.Areyou sure? (y/n) [y] ? y //输入yIn order to accomplish the action, CheckPoint services should be restarted.Restart now ? (y/n) [y] ? y //输入y,下面显示CP的服务重启过程。Advanced Routing Suite is now stoppedStopping SmartView Monitor daemon …SmartView Monitor daemon is not runningStopping SmartView Monitor kernel …Driver is Down.rtmstop: SmartView Monitor kernel is notloadedFloodGate-1 is already stopped.-1/FW-1 stoppedSVN Foundation: cpd stoppedSVN Foundation: cpWatchDog stoppedSVN Foundation stoppedcpstart: Power-Up self tests passedsuccessfullycpstart: Starting product – SVN FoundationSVN Foundation: Starting cpWatchDogSVN Foundation: Starting cpdSVN Foundation startedcpstart: Starting product – -1FireWall-1: starting external module –OKFireWall-1: Starting fwdInstalling Security PolicyOffice-Cluster-Policy on all.all@NJZQ-CP-248Fetching Security Policy from localhostsucceededFetching Security Policy From:221.226.154.195 192.168.200.173Local Policy is Up-To-Date.ThePolicy was not installed because it is the same as the Policy already on theModule.FireWall-1: enabling bridge forwardingFireWall-1 startedcpstart: Starting product – FloodGate-1FloodGate-1 is disabled. If you wish tostart the service, please run ‘etmstart enable’.cpstart: Starting product – SmartViewMonitorSmartView Monitor: Not activecpstart: Starting product – AdvancedRoutingAdvanced Routing is not enabled. Please use’cpconfig’ to enable 免费云主机域名it.Advanced Routing was successfully disabledConfiguration Options:———————-(1)Licenses and contracts(2)SNMP Extension(3)PKCS#11 Token(4)Random Pool(5)Secure Internal Communication(6)Enable Advanced Routing(7)Disable cluster membership for this gateway(8)Configure Check Point CoreXL(9)Automatic start of Check Point Products(10) ExitCP-248重启后,查看cluster的状态,立即恢复了正常。[Expert@NJZQ-CP-248]# cphaprob statCluster Mode: New High Availability (Active Up)NumberUnique Address Assigned Load State1221.226.154.195 100%Active2 (local)19.19.19.248 0% Standby [Expert@NJZQ-CP-248]#查看CP-246,查看cluster状态如下:[Expert@NJZQ-CP-246]# cphaprob statCluster Mode: New High Availability (Active Up)NumberUnique Address Assigned Load State1 (local)19.19.19.246 100% Active219.19.19.248 0% Standby [Expert@NJZQ-CP-246]#
至此,两台CP防火墙的Cluster已经成功,主备倒换正常。
这篇文章主要讲解了“linux中ipv6能不能关闭”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“linux中ipv6能不能关闭”吧! linux中ipv6是能关闭的。关闭方法:1、利用vi编辑器打开“/etc/…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
