Describes how to remove redundant VSX generated interface/circuit
Due to some communication problems with the VSX gateway while pushing interface/VS removal there might be a leftover. That is, a wrp circuit/interface that was part of the old configuration may remain on the gateway.
There's a possibility that the gateway would not receive the configuration for the local.vsall file from the management server and that some corruption in the database occurred; hence not everything was fetched correctly.
Such an interface can not be deleted from the Check Point GUI as it does not exist there anymore.
Messages such as the one below might be logged:
fwvsx_1 kernel: FW-1: fwlinux_nfarpin: Unknown interface: wrpjXXX. Packet dropped.
The goal is to remove the interface from the system and get the configuration in sync with the management server.
Depending on the reason why the interface hasn't been removed from the configuration, the first step or one of the later steps presented below should solve the issue. Steps should preferably be done during a maintenance window to avoid any impact on the production traffic.
a) On the relevant VS from the VAP context on which this interface exists run
# unix su
# rsx <vapgroup_index>
# vsx set <VS>
# vsx fetch -vs # management_ip
b) Push policy
c) Check if the interface has been removed.
2. If the above procedure does not work, then the following steps might help.
On P-1, run the command below and select the VSX gateway in question. Please note that any active sessions to P-1 with write privileges should be closed and the gateway in question might need to be reset (please see note below about reset_gw)
To reset the gateway, run the follwoing command from the VAP in question:
reset_gw is not officially supported by Check Point. reset_gw is irreversible.
It deletes all VSX related information and resets SIC.
The Masters table is deleted and all VSX information will be deleted!
SIC may need to be reinitialized.
To reconfigure the gateway, run the following command from P-1.
If this does not help, then the interface can be removed from the Crossbeam configuration if it exists on vs0 and is not part of local.vsall file. Should the interface be required by the configuration during the next topology push or manual fetch as described above, it will be recreated.
The example below shows how to remove the wrp896 interface which is part of VRRP fail-over group FIREWALL with ID 1. The exact names and IDs might be different on your system; hence, please double check which names are used on your system by checking the running-config file.
# config vrrp failover-group FIREWALL failover-group-id 1
# no virtual-router vrrp-id 306
# circuit vsx_ckt_fwvsx_wrp896 configure no circuit vsx_ckt_fwvsx_wrp896 circuit-id 2343