Disabling state synchronization only in Check Point management GUI may cause a traffic outage
Article ID: 168767
The following sequence produces a traffic outage:
State synchronization was turned off only in the Check Point management GUI.
Policy was pushed to the Gateways.
Traffic outage was experienced.
After such a reconfiguration step, there will be a discrepancy between configured High Availability (HA) status and its runtime status. Consequently, the application status will be reported as "Down" on the VAP member:
# /crossbeam/apps/app_status -v cpd is RUNNING fwd is RUNNING HA is NOT READY
Reporting application state: DOWN
This is expected behavior. The XOS application monitor verifies if HA status is enabled at installation time. If you plan to disable state synchronization, HA must be disabled in the Check Point application configure menufirst:
From the XOS CLI, execute the following commands: # application cpsg vap-group fw configure … Check Point Security Gateway Configuration Menu
1. Licenses 2. SNMP Extension 3. Secure Internal Communication 4. High Availability/State Synchronization <...> 9. Exit
Enter choice : 4 …
High Availability/State Synchronization is enabled. Do you want High Availability/State Synchronization to remain enabled? [y]:n
Please note that the list of menu items and numbering may slightly differ depending on Check Point application and version.
Disabling " High Availability/State Synchronization" will not affect VRRP chassis state. But the HA status will change to "disabled" at VAP member level:
# /crossbeam/apps/app_status -v cpd is RUNNING fwd is RUNNING === >> HA is DISABLED <<===