Checkpoint防火墻ClusterXL 故障之FIB Problem問題解決

成都創(chuàng)新互聯(lián)公司網(wǎng)絡(luò)公司擁有十余年的成都網(wǎng)站開發(fā)建設(shè)經(jīng)驗(yàn)，千余家客戶的共同信賴。提供網(wǎng)站設(shè)計(jì)制作、成都網(wǎng)站建設(shè)、網(wǎng)站開發(fā)、網(wǎng)站定制、友情鏈接、建網(wǎng)站、網(wǎng)站搭建、響應(yīng)式網(wǎng)站建設(shè)、網(wǎng)頁設(shè)計(jì)師打造企業(yè)風(fēng)格，提供周到的售前咨詢和貼心的售后服務(wù)

 

辦公網(wǎng)有兩臺(tái)CheckPoint防火墻做cluster的HA主備模式，Custer-HA出現(xiàn)故障現(xiàn)象如下（其中一臺(tái)CP-248狀態(tài)為down，一邊CP-246為active），導(dǎo)致CP-246和CP-248的cluster的HA準(zhǔn)備切換不成功。

[NJZQ-CP-248]# cphaprob stat  

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

1       19.19.19.246    100%            Active     

2 (local) 19.19.19.248    0%              Down   

 

[NJZQ-CP-248]# cphaprob list  //該命令非常有用，用于查找出CP防火墻cluster的監(jiān)控的關(guān)鍵組件（cp稱為Device）

 

Built-in Devices:

 

Device Name: Interface Active Check

Current state: OK

 

Registered Devices:

 

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 705.3 sec

 

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 699.2 sec

 

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.6 sec

 

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.4 sec

 

Device Name: FIB

Registration number: 4

Timeout: none

Current state: problem

Time since last report: 1 sec

 

對(duì)應(yīng)的CP-246的顯示如下：

 

[NJZQ-CP-246]# cphaprob stat

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

1 (local) 19.19.19.246    100%            Active     

2     19.19.19.248    0%              Down 

 

并且發(fā)現(xiàn)對(duì)應(yīng)的CP-246的cphaprob list顯示并無異常，均為OK。

 

[Expert@NJZQ-CP-246]# cphaprob list

 

Built-in Devices:

 

Device Name: Interface Active Check

Current state: OK

 

Registered Devices:

 

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 3077.4 sec

 

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 3071.4 sec

 

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.2 sec

 

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.8 sec

發(fā)現(xiàn)以上的故障現(xiàn)象后，對(duì)CP-248的clusterXL進(jìn)行重啟如下：

[NJZQ-CP-248]# expert

Enter expert password:

 

You are in expert mode now.

 

[Expert@NJZQ-CP-248]# clusterXL_admin down

Setting member to administratively downstate ...

Member current state is Down

[Expert@NJZQ-CP-248]# clusterXL_admin up 

Setting member to normal operation ...

Member current state is Down

Operation failed: member is still down,run 'cphaproblist' for further details

 

重啟后，仍然不成功。

 

從網(wǎng)上找到解決方法：比較兩臺(tái)fw的cpconfig配置條目發(fā)現(xiàn)：

[NJZQ-CP-246]# expert

Enter expert password:

 

You are in expert mode now.

 

[Expert@NJZQ-CP-246]# cpconfig

This program will let you re-configure

your Check Point products configuration.

 

 

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable cluster membership for this gateway

(7) Configure Check Point CoreXL

(8) Automatic start of Check Point Products

 

(9) Exit

 

Enter your choice (1-9) :

 

[NJZQ-CP-248]# expert

Enter expert password:

 

You are in expert mode now.

 

[Expert@NJZQ-CP-248]# cpconfig

This program will let you re-configure

your Check Point products configuration.

 

 

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6)  Disable Advanced Routing  //注意到該部分為此防火墻和CP-246防火墻不一致的地方，且當(dāng)前已經(jīng)處于開啟狀態(tài)。

(7) Disable cluster membership for this gateway

(8) Configure Check Point CoreXL

(9) Automatic start of Check Point Products

 

(10) Exit

 

Enter your choice (1-10) :6 //這里選擇6，回車，將Advanced Routing功能disable掉。

 

Disable Advanced Routing...

============================

 

You have selected to disable advancedrouting.

Areyou sure? (y/n) [y] ? y   //輸入y

 

In order to accomplish the action, CheckPoint services should be restarted.

 Restart now ? (y/n) [y] ? y  //輸入y，下面顯示CP的服務(wù)重啟過程。

Advanced Routing Suite is now stopped

Stopping SmartView Monitor daemon ...

SmartView Monitor daemon is not running

Stopping SmartView Monitor kernel ...

Driver is Down.

rtmstop: SmartView Monitor kernel is notloaded

FloodGate-1 is already stopped.

×××-1/FW-1 stopped

SVN Foundation: cpd stopped

SVN Foundation: cpWatchDog stopped

SVN Foundation stopped

cpstart: Power-Up self tests passedsuccessfully

 

cpstart: Starting product - SVN Foundation

 

SVN Foundation: Starting cpWatchDog

SVN Foundation: Starting cpd

SVN Foundation started

 

cpstart: Starting product - ×××-1

 

FireWall-1: starting external ××× module --OK

FireWall-1: Starting fwd

 

 

Installing Security PolicyOffice-Cluster-Policy on all.all@NJZQ-CP-248

Fetching Security Policy from localhostsucceeded

 

Fetching Security Policy From:221.226.154.195 192.168.200.173

 

 Local Policy is Up-To-Date.

 ThePolicy was not installed because it is the same as the Policy already on theModule.

FireWall-1: enabling bridge forwarding

FireWall-1 started

 

cpstart: Starting product - FloodGate-1

 

FloodGate-1 is disabled. If you wish tostart the service, please run 'etmstart enable'.

 

cpstart: Starting product - SmartViewMonitor

 

SmartView Monitor: Not active

 

cpstart: Starting product - AdvancedRouting

 

Advanced Routing is not enabled. Please use'cpconfig' to enable it.

 

Advanced Routing was successfully disabled

 

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Enable Advanced Routing

(7) Disable cluster membership for this gateway

(8) Configure Check Point CoreXL

(9) Automatic start of Check Point Products

 

(10) Exit

 

CP-248重啟后，查看cluster的狀態(tài)，立即恢復(fù)了正常。

 

[Expert@NJZQ-CP-248]# cphaprob stat

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

1         221.226.154.195 100%           Active     

2 (local) 19.19.19.248    0%              Standby    

 

[Expert@NJZQ-CP-248]#

查看CP-246，查看cluster狀態(tài)如下：

 

[Expert@NJZQ-CP-246]# cphaprob stat

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

1 (local) 19.19.19.246    100%            Active     

2         19.19.19.248    0%              Standby    

 

[Expert@NJZQ-CP-246]#

至此，兩臺(tái)CP防火墻的Cluster已經(jīng)成功，主備倒換正常。

新聞名稱：Checkpoint防火墻ClusterXL故障之FIBProblem問題解決
文章路徑：http://chinadenli.net/article46/jeideg.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供網(wǎng)站建設(shè)、電子商務(wù)、網(wǎng)站排名、云服務(wù)器、外貿(mào)建站、動(dòng)態(tài)網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源： 創(chuàng)新互聯(lián)