cphaprob state is not showing all APMs within the Check Point vap-group.


Article ID: 167952


Updated On:




When running different commands between XOS and Checkpoint, the APMs may or may not see each other within the vap-group or the configuration sync network.When doing a "cphaprob state" from one APM in the vap-group, one does not see the other APMs in the configured state sync network.  


The problem outlined within is that there is a discrepancy between what XOS reports in the  Check Point vap-group compared to what Check Point reports in the vap-group.


This scenario can be introduced by a few different factors.  

The fact that the XOS reports all APM's means that they are up, active, and have the application installed on them with policy installed.  

One reason that Check Point may not see all the modules when using the cphaprob state command is that there are different policies on the APMs in the vap-group.  

For example, if a new policy was pushed on one APM in the vap-group but not the other, this would cause the discrepancy.  This would result in the APMs not being able to sync properly and therefore not all would show in the cphaprob state command.  To check if policy is the same on all APMs within the vap-group you may run fw stat -s on each APM within the vap-group.

Another example this could be introduce is if CoreXL is configured differently on each APM.  Check the CoreXL configuration status and make sure they are configured the same on all modules within the vap-group/cluster (fw ctl multik stat).  When CoreXL instance values are different between the APMs, the members will not report each other.  

Finally, you will need to check if the CPU core affinity status is the same between APM within the vap-group. You can check the core status by running the command sim affinity -l.  This will list the core assignments.  If they are different on the APMs then they will have to be adjusted to be the same before the APMs will sync and be able to be seen together in cphaprob state.