Application monitor verifies Check Point cluster HA status

book

Article ID: 167971

calendar_today

Updated On:

Products

XOS

Issue/Introduction

For current Check Point releases, application monitoring checks the HA status too.Even when Check Point is running, the show application vap-group command shows Application State "Down" and the VAP Status is Up but not Active in show ap-vap-mapping:

CBS# show application vap-group
VAP Group                   : fw
App ID                      : CPSG
Name                        : Check Point Security Gateway
Version                     : R75
Release                     : 10
Start on Boot               : yes
App Monitor                 : on
App State (fw_1)            : Down
App State (fw_2)            : Down


CBS# show ap-vap-mapping
Module  Slot  Status  VAP IP Address  VAP Group  Index  Master (true/false)
AP2     3     Up      1.1.1.101       fw         1      true
AP5     6     Up      1.1.1.102       fw         2      false
 
 
 
 
 

Cause

For older versions of Check Point applications, the application monitoring verifies only if the processes FWD and CPD are running.

For all current Check Point releases (CPSG R70, CBI version 2.0.1.0-2 and newer), application monitoring checks the HA status too.

Resolution

There are situations that can cause the HA process to not start. For example:
  • A security policy has not been installed yet
  • Different application versions exist between cluster members
  • Any problem with the Cluster configuration
  • A mismatch in CoreXL settings on cluster members
If the HA process does not start , the VAP application state will be shown as "Down".

You can manually check the output of the application monitor script by running the following command from the VAP member:

Example:
 
/crossbeam/apps/app_status -v
   cpd is RUNNING
   fwd is RUNNING
   HA  is NOT READY
 
Reporting application state: DOWN

Note: the output of the app_status script differs between RPM and CBI Check Point installation. See KB Article #5714 for more information.


To troubleshoot Check Point application status issues, following commands are useful:

Restart application manually with cpstop and cpstart to check if the services are coming up and policy can be fetched from the CP Management Server.

Run ping from one Cluster member on the sync circuit and tcpdump on the receiving member to check for any connectivity issue. Ping will not get through if security policy does not allow it.

Run fw ctl multik stat on each Cluster member to verify identical CoreXL settings.

Workaround

N/A