[solved] Finally CPHA configuration resolved

Finally, problem that I’ve encountered a month ago has been resolved. I would like to express my gratitude and appreciation especially to David Rodriguez from SysAdminTutorials.com for your effort in helping me to resolve CPHA configuration issue.

BEFORE [PROBLEM]

AFTER [RESOLVED]

You can find David’s tutorial here. It’s the most helpful document I’ve ever read in configuring Check Point Cluster.

David has also setup a discussion forum where you can post any question regarding Check Point firewall. Should you have any questions, please feel free to post it there.

There were a few mistakes in my configuration especially on the “Edit Topology” part. I didn’t configure outside interface of the Cluster. Once it has been configured, I pushed the policy again and it works!

REFERENCE
http://www.sysadmintutorials.com/tutorials/check-point/check-point-r75-cluster-setup/
http://www.sysadmintutorials.com/forums/showthread.php?800-How-to-configure-Check-Point-SPLAT-R60-R65-High-Availability-Configuration&p=843#post843

[solved] ERROR: Unable to set this url, file has non-ASCII characters

The following error message is occurred because the command is not put in the right order.

ERROR: Unable to set this url, file has non-ASCII characters
or
WARNING: BOOT variable added, but unable to find disk0:/.private/startup-config

ciscoasa#
ciscoasa# con t
ciscoasa(config)# boot config disk0:/.private/startup-config
ERROR: Unable to set this url, file has non-ASCII characters
ciscoasa(config)#

SOLUTION

The right sequences are as follows:

enable
config t
copy run disk0:/.private/startup-config
boot config disk0:/.private/startup-config
wr mem

EXAMPLE

ciscoasa(config)# copy run disk0:/.private/startup-config
Source filename [running-config]?
Destination filename [/.private/startup-config]?

%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4
1471 bytes copied in 2.20 secs (735 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed
ciscoasa(config)#
ciscoasa(config)# boot config disk0:/.private/startup-config
ciscoasa(config)#
ciscoasa(config)# wr mem
Building configuration…
Cryptochecksum: a0ce05e6 e361a34f d8bc3b81 55185b42

1514 bytes copied in 2.150 secs (757 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed

[OK]
ciscoasa(config)#

I hope this helps

How to “wr mem” Cisco ASA in GNS3?

On a previous post, I’ve shared how to save Cisco ASA configuration in GNS3 environment. If you don’t like this way, there is a good news for you. wr mem command still can be used, but you need to execute the following command.

copy run disk0:/.private/startup-config
boot config disk0:/.private/startup-config

After that, wr mem command is good to go

EXAMPLE

ciscoasa(config)# copy run disk0:/.private/startup-config
Source filename [running-config]?
Destination filename [/.private/startup-config]?

%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4

1471 bytes copied in 2.20 secs (735 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed

ciscoasa(config)# boot config disk0:/.private/startup-config
ciscoasa(config)#

ciscoasa(config)# wr mem
Building configuration…
Cryptochecksum: a0ce05e6 e361a34f d8bc3b81 55185b42

1514 bytes copied in 2.150 secs (757 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed

[OK]
ciscoasa(config)#

[solved] How to start Check Point High Availability (CPHA) Module?

PROBLEM

HA module not started
HA state:            ClusterXL inactive or machine is down
HA started:   no

cphaprob stat
will display the status of the cluster

[Expert@R65-FW-254]# cphaprob state
HA module not started.
[Expert@R65-FW-254]#

cphaprob -a if
will display the monitoring interfaces, the fwd, cphd dameon states, look for any interface down alerts if the cluster is down.

[R65-FW-254]# cphaprob -a if
HA module not started.
[R65-FW-254]#

cphaprob list
will display the overall health status of the cluster / Shows a status in list form

[R65-FW-254]# cphaprob list

Built-in Devices:

Device Name: Interface Active Check

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none

Device Name: Filter
Registration number: 1
Timeout: none

Device Name: fwd
Registration number: 2
Timeout: 2 sec

[R65-FW-254]#

cpstat ha
high availability state

[Expert@R65-FW-254]# cpstat ha
Product name: High Availability
Version:      N/A
Status:       problem
HA installed: 1
Working mode:
HA started:   no
[Expert@R65-FW-254]#

[Expert@R65-FW-254]# cpstat -f all ha
Product name:        High Availability
Major version:       6
Minor version:       0
Service pack:        1
Version string:      N/A
Status code:         2
Status short:        problem
Status long:
HA installed:        1
Working mode:
HA protocol version: 2
HA started:          no
HA state:            ClusterXL inactive or machine is down
HA identifier:       0

Interface table
————————————————
|Name|IP|Status|Verified|Trusted|Shared|Netmask|
————————————————

Problem Notification table
————————————————-
|Name           |Status |Priority|Verified|Descr|
————————————————-
|Synchronization|problem|       0|     730|     |
|Filter         |OK     |       0|     730|     |
|fwd            |OK     |       0|     731|     |
————————————————-

Cluster IPs table
———————————————–
|Name|IP|Netmask|Member Network|Member Netmask|
———————————————–

Sync table
—————–
|Name|IP|Netmask|
—————–
[Expert@R65-FW-254]#
[Expert@R65-FW-254]# fw hastat
HOST      NUMBER     HIGH AVAILABILITY STATE          MACHINE STATUS
localhost ??         module disabled
[Expert@R65-FW-254]#

[R65-FW-254]# cpstart
SVN Foundation: cpWatchDog already running
SVN Foundation: cpd already running
SVN Foundation started
FireWall-1: starting external VPN module — OK
Note: This machine is not defined as a part of any Cluster.
It is possible that the IP of this machine as it appears in your hosts
file differs from the general IP of this machine in the Management server.
Alternatively, Check your Cluster configuration in the Management server.
If this machine is no longer part of a Cluster, please disable Check Point ClusterXL
or State Synchronization on it.
FireWall-1: Starting fwd

Installing Security Policy InitialPolicy on all.all@R65-FW-254
Fetching Security Policy from localhost succeeded
Failed to read database.
Probably module was never installed
Failed to fetch policy from masters in masters file
FireWall-1: enabling bridge forwarding
FireWall-1 started
FloodGate-1 is disabled. If you wish to start the service, please run ‘etmstart enable’.
SmartView Monitor: Not active
cpstart: Power-Up self tests passed successfully
cpstart: Starting product – SVN Foundation
cpstart: Starting product – VPN-1
cpstart: Starting product – FloodGate-1
cpstart: Starting product – SmartView Monitor
cpstart: Starting product – Advanced Routing
[R65-FW-254]#

[Expert@R65-FW-254]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
———————-
(1)  Licenses
(2)  SNMP Extension
(3)  PKCS#11 Token
(4)  Random Pool
(5)  Secure Internal Communication
(6)  Disable Advanced Routing
(7)  Disable cluster membership for this gateway
(8)  Automatic start of Check Point Products

(9) Exit
Enter your choice (1-9) :

REFERENCE

https://www.cpug.org/forums/installing-upgrading/9786-how-do-i-start-my-ha-module.html

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36247

SOLUTION [May 20, 2012]

You can read the solution here 🙂

https://firewallengineer.wordpress.com/2012/05/20/solved-finally-cpha-configuration-resolved/

[solved] Provider-1 R65: cpconfig command error

[P1-R65]# cpconfig
Unknown command “cpconfig”
[P1-R65]# expert
Enter expert password:

You are in expert mode now.

[Expert@P1-R65]# cpconfig
cpconfig: There is a conflict between the values of FWDIR in registry and environment.
please relogin or activate your login script.
[Expert@P1-R65]#

SIMILAR ISSUE

https://forums.checkpoint.com/forums/message.jspa?messageID=18887

SYMPTOMS

Running the ‘cpconfig’ command on the MDS fails.
Error: “cpconfig: There is a conflict between the values of FWDIR in registry and environment.”

CAUSE
cpconfig is not supported on Provider-1/SiteManager-1.

SOLUTION
No fix is required; the system is functioning as designed.
Use the mdsconfig command in the MDS context. Symptoms

EXAMPLE

[Expert@P1-R65]# mdsconfig

Welcome to MDS Configuration Program
========================================
This program will let you re-configure your MDS configuration.

Configuration Options:
———————-
(1)  Leading VIP Interfaces
(2)  Licenses
(3)  Random Pool
(4)  Groups
(5)  Certificate’s Fingerprint
(6)  Administrators
(7)  GUI clients
(8)  Automatic Start of MDS

(9) Exit

Enter your choice (1-9):

Running ‘cpconfig’ command on MDS fails with error: “cpconfig: There is a conflict between the values of FWDIR in registry and environment.”

[solved] No SIC reset option in cpconfig

PROBLEM

The following issue has been posted by Manfred Reinholdt on Feb 2, 2010.

Hei,
after installing EndPoint Security Server R73 HFA1 i try to initialize the SIC but when executing cpconfig the option Secure Internal Communication is not avaliable.
Some idea ?

It seems like I’m having similar issue here. I’ll do more research on this and will update this post once I’ve the solution. If you have any info regarding this, please let me know.

[Expert@R60-FW]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
———————-
(1)  Licenses
(2)  Administrator
(3)  GUI Clients
(4)  SNMP Extension
(5)  Group Permissions
(6)  PKCS#11 Token
(7)  Random Pool
(8)  Certificate Authority
(9)  Certificate’s Fingerprint
(10) Disable Advanced Routing
(11) Disable Check Point SecureXL
(12) Automatic start of Check Point Products

(13) Exit

Enter your choice (1-13) :

SIMILAR ISSUE

https://forums.checkpoint.com/forums/message.jspa?messageID=35542

SOLUTION

Do not select SmartCenter (Management) for CPHA setup

During installation, you’ll be presented with the following option.

The following products are available in this version
Please select product(s)

1 [*] VPN-1 Power
2 [ ] UserAuthority
3 [ ] SmartCenter
4 [ ] Eventia Suite
5 [ ] Integrity
6 [*] Performance Pack
7 [ ] SmartPortal

Thanks to Brandon who left a comment below. According to him, my firewall is defined as a management server and firewall gateway. That’s the main reason why I never see SIC menu.

Now I understand that in order to configure High Availability in Check Point, Management Server and Firewall Gateway can’t be installed together. In the other words, never select option 3 which is SmartCenter if you want to configure it as HA.

If you select it, the following option will never appear. Type y for yes for the following option:

Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? y

Full menu looks like below

Welcome to Check Point Configuration Program
=================================================
Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ?
Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? y

After that, install as usual, reboot the firewall and run cpconfig again.

Finally, menu 5, Secure Internal Communication is appear.

[Expert@R65-FW]# cpconfig
This program will let you re-configure your Check Point products configuration.

Configuration Options:
———————-
(1)  Licenses
(2)  SNMP Extension
(3)  PKCS#11 Token
(4)  Random Pool
(5)  Secure Internal Communication
(6)  Disable Advanced Routing
(7)  Disable cluster membership for this gateway
(8)  Disable Check Point SecureXL
(9)  Automatic start of Check Point Products

(10) Exit
Enter your choice (1-10) : 5

 

[solved] Installation failed !: No sufficient Licenses installed for filter

This error message occurred when I tried to add third firewall policy.

Installation failed !

No sufficient Licenses installed for filter

Last time, when I had a problem with SmartDashboard, I’ve just rebooted both Management Server & SmartDashboard client’s host and the problem fixed somehow. Therefore, I’ve tried similar method and the following error occurred when I tried to login to SmartDashboard after reboot

Trial period has expired on SmartCenter Server: ‘192.168.10.254’

Currently I don’t have any issue accessing SPLAT R60 from ssh, but this error message occurred when I tried to access it via web.

Check Point product trial period has expired. Adding licenses can be done through the Lincenses page

Then, I’ve scrolled down on left menu, look at Product Configuration, followed by Licenses, and guess what I’ve found:

Check Point product trial period has expired

I guess I need to re-install R60 as 15 days evaluation has been expired

SIMILAR ISSUE

https://www.cpug.org/forums/installing-upgrading/8731-cp-ngx-r65-splat-license-installation.html

SUPPORT

https://www.cpug.org/forums/check-point-ip-appliances-ipso-formerly-sold-nokia/6212-license-requirements.html

SOLUTION

Re-install SPLAT R60 fix the trial expiration issue

[solved] Smart Dashboard cannot connect to Management server

PROBLEM

I’ve just reinstalled R60 in VirtualBox and somehow I can’t access to SmartDashboard anymore. I was able to access it before. There is no network issue as I can ping from SmartDashboard to Management Server and vice versa.
I’m able to access the web access and found the GUI client is defined correctly.
Is there anything else I can do to fix this issue?

SmartDashboard = 192.168.10.10
Management Server = 192.168.10.254

UPDATE – Apr 15, 2012

It seems like I’m not the only one who experiencing with this problem. Quick search on google and found a few similar problems have been posted to The Check Point User Group forum, CPUG.

Since I’m new to Check Point firewall and have no clue about what happened, I’ve decided to get help from them as well. Thanks to a senior member, ShadowPeak.com who responded to this issue quickly and has suggested a few ways to troubleshoot this issue which is totally new to me.

SOLUTION

I don’t have a chance to try all suggested method as once I’ve rebooted both SmartDashboard client and management server, I was able to login back. Hmm, weird. Btw, it’s good to know that this issue has been resolved by rebooting the servers.

REFERENCE

https://www.cpug.org/forums/smartdashboard/17312-smart-dashboard-cannot-connect-management-server.html