How to apply Check Point Hot Fix on Crossbeam X-Series platform
Article ID: 167897
Updated On:
Products
XOS
Issue/Introduction
How to apply Check Point Hot Fix on Crossbeam X-Series platformN/A
Cause
This procedure describes the elementary steps to successfully apply a Check Point HF or HFA onto a given VAP group within a given X-Series chassis while minimizing the downtime.
This procedure is valid irrespective of any particular network environment and configuration.
There are, however, possible specific situations that are not covered by this procedure such as unsynchonized clusters, and customers should use this procedure as a reference to build their own procedures.
Software Environment
This solution applies to the following software environment
This procedure is valid irrespective of any particular network environment and configuration.
There are, however, possible specific situations that are not covered by this procedure such as unsynchonized clusters, and customers should use this procedure as a reference to build their own procedures.
Software Environment
This solution applies to the following software environment
- XOS any version
- Check Point VPN-1, SG, VSX, GX
Resolution
Technical Considerations
This procedure assumes that all cluster members within a VAP group are synchronized for all necessary traffic. Should synchronization be deactivated, cluster members will not be synchronized and VRRP failover can cause possible outage.
Procedure
1) Identify the VAP group on which you need to apply the Hot Fix or Hot Fix Accumulator (HFA)
CBS_1# show ap-vap-mapping
Module Slot Status VAP IP Address VAP Group Index Master
AP5 7 Active 1.1.201.103 vsxr65 1 false
AP6 8 Active 1.1.201.104 vsxr65 2 false
AP7 9 Active 1.1.201.107 vsxr65 3 true
AP10 12 Active 1.1.201.108 vsxr65 4 false
2) In case of DBHA, identify if the chassis is VRRP backup. If not, disable the VRRP failover group to ensure a proper failover to the other chassis. The status of the VRRP failover group can be confirmed by issuing the "show vrrp" command.
Following example assumes that the relevant failover-group is named "fg_vsx" and is having the failover-group-id set to "1". Chassis CBS_1 is originally a VRRP master:
CBS_1# show vrrp
Priority is Actual/Configured
FG-ID Priority Status Preempt Master Sys ID Master Priority
1 100/100 Master off 201 100
(2 rows)
CBS_1# configure vrrp failover-group fg_vsx failover-group-id 1 no enable
CBS_1# show vrrp
Priority is Actual/Configured
FG-ID Priority Status Preempt Master Sys ID Master Priority
1 0/100 Down off n/a n/a
3) Upload the HFA on a given VAP group to the Crossbeam chassis CPM (i.e. using SCP or FTP)
4) Copy the HFA file to the VAP group common directory:
[[email protected]_1 admin]# cp sim_HOTFIX_ECUADOR2_HF_BASE_011.tgz /tftpboot/vsxr65_common/root/
5) In order to apply HFA on all VAPs in the vap-group the HFA will need to by present in the local APM directory structure. cbs_rsh tool can be used to automate this task as follows:
[[email protected]_1 admin]# /crossbeam/bin/cbs_rsh vsxr65
mkdir HFAxyz ; tar xzvf /vsxr65_common/root/sim_HOTFIX_ECUADOR2_HF_BASE_011 -C ./HFAxyz
6) RSH to each VAP member and install the HFA as described in the Check Point documentation
7) once the installation is finished on all modules (and the modules were rebooted), enable the VRRP:
CBS_1# configure vrrp failover-group fg_vsx failover-group-id 1 enable
Remarks
For XOS 8.5 and above, the customer may want to use the vrrp-relinquish-master command instead of disabling the VRRP failover-group.
CBS_1# vrrp-relinquish-master fg_vsx
This procedure assumes that all cluster members within a VAP group are synchronized for all necessary traffic. Should synchronization be deactivated, cluster members will not be synchronized and VRRP failover can cause possible outage.
Procedure
1) Identify the VAP group on which you need to apply the Hot Fix or Hot Fix Accumulator (HFA)
CBS_1# show ap-vap-mapping
Module Slot Status VAP IP Address VAP Group Index Master
AP5 7 Active 1.1.201.103 vsxr65 1 false
AP6 8 Active 1.1.201.104 vsxr65 2 false
AP7 9 Active 1.1.201.107 vsxr65 3 true
AP10 12 Active 1.1.201.108 vsxr65 4 false
2) In case of DBHA, identify if the chassis is VRRP backup. If not, disable the VRRP failover group to ensure a proper failover to the other chassis. The status of the VRRP failover group can be confirmed by issuing the "show vrrp" command.
Following example assumes that the relevant failover-group is named "fg_vsx" and is having the failover-group-id set to "1". Chassis CBS_1 is originally a VRRP master:
CBS_1# show vrrp
Priority is Actual/Configured
FG-ID Priority Status Preempt Master Sys ID Master Priority
1 100/100 Master off 201 100
(2 rows)
CBS_1# configure vrrp failover-group fg_vsx failover-group-id 1 no enable
CBS_1# show vrrp
Priority is Actual/Configured
FG-ID Priority Status Preempt Master Sys ID Master Priority
1 0/100 Down off n/a n/a
3) Upload the HFA on a given VAP group to the Crossbeam chassis CPM (i.e. using SCP or FTP)
4) Copy the HFA file to the VAP group common directory:
[[email protected]_1 admin]# cp sim_HOTFIX_ECUADOR2_HF_BASE_011.tgz /tftpboot/vsxr65_common/root/
5) In order to apply HFA on all VAPs in the vap-group the HFA will need to by present in the local APM directory structure. cbs_rsh tool can be used to automate this task as follows:
[[email protected]_1 admin]# /crossbeam/bin/cbs_rsh vsxr65
mkdir HFAxyz ; tar xzvf /vsxr65_common/root/sim_HOTFIX_ECUADOR2_HF_BASE_011 -C ./HFAxyz
6) RSH to each VAP member and install the HFA as described in the Check Point documentation
7) once the installation is finished on all modules (and the modules were rebooted), enable the VRRP:
CBS_1# configure vrrp failover-group fg_vsx failover-group-id 1 enable
Remarks
For XOS 8.5 and above, the customer may want to use the vrrp-relinquish-master command instead of disabling the VRRP failover-group.
CBS_1# vrrp-relinquish-master fg_vsx
Workaround
N/AFeedback
Yes
No
Powered by
