Issue/Introduction:
This article describes a situation in which application monitor occasionally reports that Check Point R75.40 application is down during policy installation.Application monitor can report the Check Point application as Down for a short period (typically 5 seconds), even though the application is not suffering from any apparent issues:
<-- policy installation -->
Nov 15 23:21:00 cpsg_1 kernel: [fw_0];FW-1: No license for Performance Pack (SecureXL).
Nov 15 23:21:00 CBS cbshmonitord: [N] Violation (s=1, no alarm) occurred: module:7, item:1501 (H_ID_APP_RUNNING), component:Application, time:[1321395648]"Tue Nov 15 23:20:48 2011"
Nov 15 23:21:00 CBS cbsalarmlogrd: AlarmID 2814 | Tue Nov 15 23:21:00 2011 | minor | ap5 | applicationDown | Application down
Nov 15 23:21:00 CBS cbsalarmlogrd: AlarmID 2816 | Tue Nov 15 23:21:00 2011 | info | ap5 | moduleStateChange | Module state change (up)
Nov 15 23:21:00 CBS cbsalarmlogrd: AlarmID 2818 | Tue Nov 15 23:21:00 2011 | info | ap5 | vapStateChange | VAP state change (up)
Nov 15 23:21:05 CBS cbshmonitord: [N] Violation (s=1, no alarm) cleared: module:7, item:1501 (H_ID_APP_RUNNING), component:Application, time:[1321395665]"Tue Nov 15 23:21:05 2011"
Nov 15 23:21:05 CBS cbsalarmlogrd: AlarmID 2819 | Tue Nov 15 23:21:05 2011 | clear | ap5 | applicationDown | Application down | CorrelationID 2814
Nov 15 23:21:05 CBS cbsalarmlogrd: AlarmID 2820 | Tue Nov 15 23:21:05 2011 | info | ap5 | moduleStateChange | Module state change (active)
Nov 15 23:21:05 CBS cbsalarmlogrd: AlarmID 2822 | Tue Nov 15 23:21:05 2011 | info | ap5 | vapStateChange | VAP state change (active)
Cause:
Problem:
Application monitor can report the application as Down during the policy push. This alarm is almost immediately cleared.
However, if the application monitor reports the application as Down even for a single second, it can cause a VRRP failover to the secondary chassis.
Goal:
To eliminate this unexpected behavior.
Resolution:
This issue is fixed in the updated CBI release of the Check Point application R75.40 MR1. The filename is CPSG-R75.40-15.mr1.cbi. Upgrading to this new or later CBI version will solve this issue.
Workaround
Workaround 1:To work around this issue, disable application monitoring:
CBS# configure vap-group <VG-NAME> no application-monitorWorkaround 2:It is possible to use an updated app_status binary from Check Point R75.40 MR1. This binary is compatible with other Check Point R75 releases. To implement this workaround follow the steps bellow:
1. disable the application monitor on the vap-group first:
CBS# configure vap-group <VG-NAME> no application-monitor
2. Make a backup copy of current file :
CBS# unix su
# cp /tftpboot/<VG-NAME>_common/crossbeam/apps/app_status /tftpboot/<VG-NAME>_common/crossbeam/apps/app_status.orig
3. Copy the new binary over the existing one. Then set the correct permissions:
# chmod 555 /tftpboot/<VG-NAME>_common/crossbeam/apps/app_status
4. Enable back the application monitor:
CBS# configure vap-group <VG-NAME> application-monitor
Note: use your actual VAP group name instead of <VG-NAME> in all given commands