中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Checkpoint防火墻因CoreXL被激活的防火墻實例數目不同而導致cluster失敗的排除

發布時間:2020-06-08 17:53:19 來源:網絡 閱讀:3294 作者:smsong 欄目:安全技術

Checkpoint防火墻因CoreXL被激活的防火墻實例(firewall instances)的數目不同而導致cluster協商失敗的排除過程。

故障現象是:兩臺做cluster的防火墻中,cp-246HA狀態是ready,而另一臺cp-248的狀態是active,并且兩臺cp互相不顯示對方的狀態。

NJZQ-CP-246Cluster對比檢查

[NJZQ-CP-246]# cphaprob -a if

 

Required interfaces: 3

Required secured interfaces: 1

 

eth0      UP              non sync(nonsecured), multicast

eth2      UP              non sync(non secured), multicast

eth3      UP              sync(secured),multicast

 

Virtual cluster interfaces: 3

 

eth0            221.226.154.194      

eth2            192.168.200.247      

eth3            19.19.19.247      

 

[NJZQ-CP-246]#

[NJZQ-CP-246]# cphaprob state

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

2 (local) 19.19.19.246    0%              Ready       

 

[NJZQ-CP-246]#

[NJZQ-CP-246]# cphaprob list

 

Built-in Devices:

 

Device Name: Interface Active Check

Current state:OK

 

Registered Devices:

 

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 77483.5 sec

 

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 77477.4 sec

 

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.2 sec

 

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.5 sec

 

[NJZQ-CP-246]#

 

[NJZQ-CP-246]# cpstat ha -f all

 

Product name:        High Availability

Major version:       6

Minor version:       0

Service pack:        1

Version string:      N/A

Status code:         0

Status short:        OK

Status long:         Refer to the Notification andInterfaces tables for information about the problem

HA installed:        1

Working mode:        High Availability (Active Up)

HA protocol version: 2

HA started:          yes

HA state:            ready

HA identifier:       2

 

 

Interface table

-------------------------------------------------------------

|Name|IP            |Status|Verified|Trusted|Shared|Netmask|

-------------------------------------------------------------

|eth0|221.226.154.195|Up    |    200|      0|     2|0.0.0.0|

|eth2|192.168.200.246|Up    |      0|      0|     2|0.0.0.0|

|eth3|  19.19.19.246|Up    |       0|     1|     2|0.0.0.0|

-------------------------------------------------------------

 

 

 

Problem Notification table

------------------------------------------------

|Name           |Status|Priority|Verified|Descr|

------------------------------------------------

|Synchronization|OK    |      0|   77531|     |

|Filter         |OK   |       0|   77524|    |

|cphad          |OK   |       0|      0|     |

|fwd            |OK    |      0|       1|     |

------------------------------------------------

 

 

 

Cluster IPs table

----------------------------------------------------------------------

|Name|IP             |Netmask        |Member Network |Member Netmask |

----------------------------------------------------------------------

|eth0|221.226.154.194|255.255.255.248|221.226.154.192|255.255.255.248|

|eth2|192.168.200.247|  255.255.255.0|  192.168.200.0|  255.255.255.0|

|eth3|  19.19.19.247|  255.255.255.0|     19.19.19.0|  255.255.255.0|

----------------------------------------------------------------------

 

 

 

Sync table

---------------------------------

|Name|IP          |Netmask      |

---------------------------------

|eth3|19.19.19.246|255.255.255.0|

---------------------------------

 

[NJZQ-CP-246]# 

 

[NJZQ-CP-246]# fw ctl pstat

 

Machine Capacity Summary:

 Memory used: 7% (126MB out of 1638MB) - below low watermark

 Concurrent Connections: 0% (5 out of 24900) - below low watermark

 Aggressive Aging is not active

 

Hash kernel memory (hmem) statistics:

 Total memory allocated: 31457280 bytes in 7672 4KB blocks using 8 pools

 Initial memory allocated: 20971520 bytes (Hash memory extended by10485760 bytes)

 Memory allocation  limit: 31457280bytes using 512 pools

 Total memory bytes  used:15350072   unused: 16107208 (51.20%)   peak: 26094340

 Total memory blocks used:    4436   unused:     3236 (42%)   peak:    6794

 Allocations: 25663486 alloc, 402789 failed alloc, 25502424 free

 

System kernel memory (smem) statistics:

 Total memory  bytes  used: 113440916   peak: 153201032

   Blocking  memory  bytes  used:  2041508   peak: 2602416

   Non-Blocking memory bytes used: 111399408   peak: 150598616

 Allocations: 415867 alloc, 0 failed alloc, 411131 free, 0 failed free

 

Kernel memory (kmem) statistics:

 Total memory  bytes  used: 96995928   peak: 148937068

       Allocations: 26073835 alloc, 0 failed alloc, 25909727 free, 0 failedfree

       External Allocations: 0 for packets, 0 for SXL

 

Kernel stacks:

       0 bytes total, 0 bytes stack size, 0 stacks,

       0 peak used, 0 max stack bytes used, 0 min stack bytes used,

       0 failed stack calls

 

INSPECT:

       0 packets, 0 operations, 0 lookups,

       0 record, 0 extract

 

Cookies:

       4739679 total, 0 alloc, 0 free,

       11 dup, 346925 get, 77498 put,

       4739829 len, 0 cached len, 0 chain alloc,

       0 chain free

 

Connections:

       464 total, 399 TCP, 50 UDP, 9 ICMP,

       6 other, 0 anticipated, 30 recovered, 5 concurrent,

       509 peak concurrent

 

Fragments:

       0 fragments, 0 packets, 0 expired, 0 short,

       0 large, 0 duplicates, 0 failures

 

NAT:

       53/0 forw, 0/0 bckw, 52 tcpudp,

       1 icmp, 40-39 alloc

 

        Sync:  //可以看出cluster的同步接口之間收發數據包有異常,這里收不到同步包(要先確認這不是防火墻策略禁止!)

        Version: new

        Status: Able to Send/Receive syncpackets

        Sync packets sent:

         total : 50885,  retransmitted : 0, retrans reqs : 0,  acks : 0

        Sync packets received:

         total : 0,  were queued : 0, dropped by net : 0

         retrans reqs : 0, received 0 acks

         retrans reqs for illegal seq : 0

         dropped updates as a result of syncoverload: 0

[NJZQ-CP-246]#

[NJZQ-CP-246]# cpconfig

This program will let you re-configure

your Check Point products configuration.

 

 

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable cluster membership for this gateway

(7)  Configure Check Point CoreXL

(8) Automatic start of Check Point Products

 

(9) Exit

 

Enter your choice (1-9) :7

 

 

 

Configuring Configure Check Point CoreXL...

===========================================

 

 

CoreXL is currently enabled with 6 firewall instances.

 

 

(1) Change the numberof firewall instances

(2) Disable Check Point CoreXL

 

(3) Exit

Enter your choice (1-3) : 1

 

This machine has 8CPUs.

 

Note: All cluster members must have the same number of firewallinstances enabled.

 

How many firewall instances would you liketo enable (2 to 4) [3] ? 4

 

CoreXL was enabledsuccessfully with 4 firewall instances.

Important: Thischange will take effect after reboot.

 

[NJZQ-CP-246]# reboot

 

Are you sure? (y/n) y

 

Broadcast message from root (pts/0) (WedJul 29 14:33:54 2015):

 

The system is going down for reboot NOW!

[NJZQ-CP-246]#

NJZQ-CP-248Cluster對比檢查

[NJZQ-CP-248]# cphaprob -a if

 

Required interfaces: 3

Required secured interfaces: 1

 

eth0      UP              non sync(non secured), multicast

eth2      UP              non sync(nonsecured), multicast

eth3      UP              sync(secured),multicast

 

Virtual cluster interfaces: 3

 

eth0            221.226.154.194      

eth2            192.168.200.247      

eth3            19.19.19.247      

 

[NJZQ-CP-248]# cphaprob state

 

Cluster Mode:   New High Availability (Active Up)

 

 

Number    Unique Address  Assigned Load   State      

 

1 (local) 19.19.19.248    100%            Active      

 

[NJZQ-CP-248]#

[NJZQ-CP-248]#

[NJZQ-CP-248]# cphaprob list

 

Built-in Devices:

 

Device Name: Interface Active Check

Current state: OK

 

Registered Devices:

 

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 77425.4 sec

 

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 77419.4 sec

 

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.8 sec

 

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.8 sec

 

Device Name: FIB

Registration number: 4

Timeout: none

Current state: OK

Time since last report: 145126 sec

 

[NJZQ-CP-248]#

[NJZQ-CP-248]# cpstat ha -f all

 

Product name:        High Availability

Major version:       6

Minor version:       0

Service pack:        1

Version string:      N/A

Status code:         0

Status short:        OK

Status long:         Refer to the Notification andInterfaces tables for information about the problem

HA installed:        1

Working mode:        High Availability (Active Up)

HA protocol version: 2

HA started:          yes

HA state:            active

HA identifier:       1

 

 

Interface table

-------------------------------------------------------------

|Name|IP            |Status|Verified|Trusted|Shared|Netmask|

-------------------------------------------------------------

|eth0|221.226.154.196|Up    |    300|      0|     2|0.0.0.0|

|eth2|192.168.200.248|Up    |      0|      0|    2|0.0.0.0|

|eth3|  19.19.19.248|Up    |       0|     1|     2|0.0.0.0|

-------------------------------------------------------------

 

 

 

Problem Notification table

------------------------------------------------

|Name           |Status|Priority|Verified|Descr|

------------------------------------------------

|Synchronization|OK    |      0|   77681|     |

|Filter         |OK   |       0|   77675|    |

|cphad          |OK   |       0|       0|    |

|fwd            |OK    |       0|      0|     |

|FIB            |OK    |      0|  145382|     |

------------------------------------------------

 

 

 

Cluster IPs table

----------------------------------------------------------------------

|Name|IP             |Netmask        |Member Network |Member Netmask |

----------------------------------------------------------------------

|eth0|221.226.154.194|255.255.255.248|221.226.154.192|255.255.255.248|

|eth2|192.168.200.247|  255.255.255.0|  192.168.200.0|  255.255.255.0|

|eth3|  19.19.19.247|  255.255.255.0|     19.19.19.0|  255.255.255.0|

----------------------------------------------------------------------

 

 

 

Sync table

---------------------------------

|Name|IP          |Netmask      |

---------------------------------

|eth3|19.19.19.248|255.255.255.0|

---------------------------------

 

 

[NJZQ-CP-248]#

[NJZQ-CP-248]# fw ctl pstat

 

Machine Capacity Summary:

 Memory used: 3% (56MB out of 1638MB) - below low watermark

 Concurrent Connections: 0% (15 out of 24900) - below low watermark

 Aggressive Aging is not active

 

Hash kernel memory (hmem) statistics:

 Total memory allocated: 20971520 bytes in 5115 4KB blocks using 5 pools

 Total memory bytes  used:  5420960  unused: 15550560 (74.15%)  peak:  9363424

 Total memory blocks used:     1590  unused:     3525 (68%)   peak:    2434

 Allocations: 20398394 alloc, 0 failed alloc, 20341055 free

 

System kernel memory (smem) statistics:

 Total memory  bytes  used: 58076812   peak: 74594452

   Blocking  memory  bytes  used:  1435484   peak: 1435484

   Non-Blocking memory bytes used: 56641328   peak: 73158968

 Allocations: 4509 alloc, 0 failed alloc, 3473 free, 0 failed free

 

Kernel memory (kmem) statistics:

 Total memory  bytes  used: 42463860   peak: 65598912

       Allocations: 20401060 alloc, 0 failed alloc, 20343252 free, 0 failedfree

       External Allocations: 0 for packets, 0 for SXL

 

Kernel stacks:

       0 bytes total, 0 bytes stack size, 0 stacks,

       0 peak used, 0 max stack bytes used, 0 min stack bytes used,

       0 failed stack calls

 

INSPECT:

       0 packets, 0 operations, 0 lookups,

       0 record, 0 extract

 

Cookies:

       8540948 total, 0 alloc, 0 free,

       3288 dup, 4471698 get, 26365 put,

       8614434 len, 0 cached len, 0 chain alloc,

        0 chain free

 

Connections:

       23178 total, 563 TCP, 17814 UDP, 3 ICMP,

       4798 other, 0 anticipated, 52 recovered, 15 concurrent,

       589 peak concurrent

 

Fragments:

       0 fragments, 0 packets, 0 expired, 0 short,

       0 large, 0 duplicates, 0 failures

 

NAT:

       4312/0 forw, 74/0 bckw, 4369 tcpudp,

       11 icmp, 14678-13878 alloc

 

Sync:  (//可以看出cluster的同步接口之間收發數據包有異常,這里收不到同步包(要先確認這不是防火墻策略禁止!)

        Version: new

        Status: Able to Send/Receive syncpackets

        Sync packets sent:

         total : 119178,  retransmitted : 0, retrans reqs : 0,  acks : 0

        Sync packets received:

         total : 0,  were queued : 0, dropped by net : 0

         retrans reqs : 0, received 0 acks

         retrans reqs for illegal seq : 0

         dropped updates as a result of syncoverload: 0

[NJZQ-CP-248]#

[NJZQ-CP-248]# cpconfig

This program will let you re-configure

your Check Point products configuration.

 

 

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable Advanced Routing

(7) Disable cluster membership for this gateway

(8)  Configure Check Point CoreXL

(9) Automatic start of Check Point Products

 

(10) Exit

 

Enter your choice (1-10) :8

 

 

 

Configuring Configure Check Point CoreXL...

===========================================

 

 

CoreXL is currently enabled with 2 firewall instances.

 //對比發現CP-248這臺防火墻的CoreXL被激活的防火墻實例數目和CP-246對應的明顯不同,做cluster-HA必須要保證此參數一致!下面為通過cpconfig修改本防火墻設備激活的防火墻實例的過程。

 

(1) Change the numberof firewall instances

(2) Disable Check Point CoreXL

 

(3) Exit

Enter your choice (1-3) : 1

 

This machine has 8CPUs.

 

Note: All cluster members must have the same number offirewall instances enabled.

 

How many firewall instances would you liketo enable (2 to 4) [3] ? 4

 

CoreXL was enabledsuccessfully with 4 firewall instances.

Important: Thischange will take effect after reboot.

[NJZQ-CP-248]# reboot

 

Are you sure? (y/n) y

 

Broadcast message from root (pts/0) (WedJul 29 14:24:14 2015):

 

The system is going down for reboot NOW!

[NJZQ-CP-248]#

 

重啟之后:

 

[NJZQ-CP-246]# cphaprob state

 

Cluster Mode:   NewHigh Availability (Active Up)

 

 

Number     UniqueAddress  Assigned Load   State      

 

1         19.19.19.248    100%            Active     

2 (local) 19.19.19.246    0%              Standby     

 

[NJZQ-CP-246]#

[NJZQ-CP-248]# cphaprob state

 

Cluster Mode:   NewHigh Availability (Active Up)

 

 

Number     UniqueAddress  Assigned Load   State      

 

1 (local) 19.19.19.248    100%            Active      

2         19.19.19.246    0%              Standby     

 

[NJZQ-CP-248]#


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

巢湖市| 临安市| 普定县| 凤翔县| 武胜县| 辽宁省| 喜德县| 青阳县| 惠来县| 平定县| 民权县| 巴马| 沛县| 广东省| 加查县| 沽源县| 辽阳县| 湘阴县| 阆中市| 金沙县| 横山县| 昭苏县| 喀什市| 双柏县| 英山县| 芜湖县| 民丰县| 周口市| 吴桥县| 紫金县| 富裕县| 平安县| 德兴市| 鄂温| 新干县| 巴彦淖尔市| 涿州市| 宣威市| 镇赉县| 宁夏| 明溪县|