The purpose of this article is to show how to fix state sync Issues in a Checkpoint High Availability environment. In a HA configuration, one firewall acts as the primary and the other a secondary firewall. This is also known as a Master-Backup scenario.The state tables of the Master is replicated onto the secondary firewall only if state sync is working between the two firewalls. Where the sync is broken, in case of a failover the existing sessions will be dropped. The sync can stop working for several reasons. These are a few ways of fixing the sync between two firewalls:
This is how you check if the sync is working or not:
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 down <----------------This shows that the sync is broken
CheckpointFW[admin]#
You can try the same command "cphaprob stat" on the Master and Backup firewalls to see on which
firewall they sync is broken.
In normal cases, the broken sync can be fixed by a cpstop;cpstart.
CheckpointFW[admin]# cpstop
FW: stopping VPN-1 module -- OK
FireWall-1: Warning - FireWall-1 does not enforce any policy
FW-1: disabling IP forwarding. To enable run: "ipsofwd on "
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
CheckpointFW[admin]#
CheckpointFW[admin]# cpstart
cpstart: Start product - SVN Foundation
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
cpstart: Start product - FireWall-1
FireWall-1: starting external VPN module -- OK
Generating tmp/cphamacs file ...
Generating tmp/cphaips file ...
Restoring previous problem notification devices statuses.
FireWall-1: Starting fwd
Installing Security Policy fwpolicy on all.all@CheckpointFW
If the issue is fixed, you will get the following results for the "cphaprob stat" command
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 active <-------This shows that the sync is established
CheckpointFW[admin]#
If the problem is not fixed, then you can try to disable and enable the "Check Point High
Availability/State Synchronization" from cpconfig utility.
This is how you do it:
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Disable Check Point High Availability/State Synchronization...
=============================================
High Availability module is currently enabled.
Would you like to disable the High Availability module (y/n) [y] ?
MAC removal on IPSO is not supported.
The uninstall process of CPHA macs has failed.: Interrupted system call
Check Point High Availability/State Synchronization was disabled successfully
You have changed the High Availability configuration.
Would you like to stop the High Availability Module now? (y/n) [y] ?
*************************************************************
The High Availability module is now disabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
CheckpointFW[admin]# cphaprob stat
HA module not started.
CheckpointFW[admin]#
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Enable Check Point High Availability/State Synchronization...
===================================
High Availability module is currently disabled.
Would you like to enable the High Availability module (y/n) [y] ?
Restoring previous problem notification devices statuses.
Check Point High Availability/State Synchronization was enabled successfully
---------------------------------------
You have changed the High Availability configuration.
Would you like to restart High Availability Module now so that your changes will take effect? (y/n)
[y] ?
Note that the 'start' parameter is obsolete.
Use /opt/CPfw1-50-03/bin/cphastart -h for usage
Restoring previous problem notification devices statuses.
*************************************************************
The High Availability module is now enabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
You can check the status of sync state again using cphaprob stat command. If it is not fixed, run cpstop;cpstart again.
If the problem is still not fixed, try rebooting the firewalls.