Disabling state synchronization only in Check Point management GUI may cause a traffic outage

book

Article ID: 168767

calendar_today

Updated On:

Products

XOS APM

Issue/Introduction

The following sequence produces a traffic outage:
  1. State synchronization was turned off only in the Check Point management GUI.
  2. Policy was pushed to the Gateways.
  3. Traffic outage was experienced.

Cause

After such a reconfiguration step, there will be a discrepancy between configured High Availability (HA) status and its runtime status. Consequently, the application status will be reported as "Down" on the VAP member: 

# /crossbeam/apps/app_status -v 
cpd is RUNNING 
fwd is RUNNING 
HA is NOT READY 

Reporting application state: DOWN 

Resolution

This is expected behavior. The XOS application monitor verifies if HA status is enabled at installation time. If you plan to disable state synchronization, HA must be disabled in the Check Point application configure menu first:

From the XOS CLI, execute the following commands:
# application cpsg vap-group fw configure 
… 
Check Point Security Gateway Configuration Menu 

1. Licenses 
2. SNMP Extension 
3. Secure Internal Communication 
4. High Availability/State Synchronization 
<...>
9. Exit 

Enter choice [9]: 4 
… 

High Availability/State Synchronization is enabled. 
Do you want High Availability/State Synchronization to remain enabled? [y]: n


Please note that the list of menu items and numbering may slightly differ depending on Check Point application and version.

Disabling " High Availability/State Synchronization" will not affect VRRP chassis state. But the HA status will change to "disabled" at VAP member level: 

# /crossbeam/apps/app_status -v 
cpd is RUNNING 
fwd is RUNNING 
=== >> HA is DISABLED <<=== 

Reporting application state: UP 

 

Workaround

N/A