Checkpoint Firewall upgrade failed

Posted on 2011-04-27
Medium Priority
Last Modified: 2012-05-11
We have (2) Nokia ip560's, they were running ipso 4.2 and r65, had vendor upgrade management server (splat) no issue. Then took secondary 560 out of cluster, upgraded ipso to 6.2, then upgraded to R71, no issue, then when we tried to join it back to cluster with existing primary that is on ipso 4.2 and R65, it fails with -> Cluster password authentication failure. We went in and verified it had correct password, then tried again, same error. We then went into Primary box did "change password" and tried it with new password, same error?

I've read through a ton of notes, and even ipso 6.2 release notes and it says that 6.2 will work with 4.2?

I received this reply from CPUG posting I put up:
You can not make any working Cluster with different software versions. R65 will never works together with R71, both cluster member should have the same version of CP software.

I then forwarded his reply to our FW vendor and this is what he said:
The information you provided is true. However, we were trying to bring the secondary unit into the IPSO cluster, which was prior to turning on the Checkpoint piece on the unit.
This IPSO clustering is to be independent of applications running on the units.

Question by:foad
  • 2
LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 35477276
I tend to agree with cpug here bud, I think CP is getting things mixed up here.

As there are differing CP versions anyways, so the session sync is never going to work so there is little benefit in having the cluster config working on IPSO

I would suggest failing over the cluster to the newly upgraded host, and turn off/disconnect the old unit.

The errors you see are likely to be due to the newer clustering version not being able to contact the other node in a manner that it recognises.

Once the older node is out of commission, we can carry out the upgrade as normal.  Once the upgrade is done, we can then successfully add this to the cluster and normal service is resumed.,

Although the docs may say that IPSO 4.2 and 6.2 can work together in a cluster, there is little benefit to this without the CP sync working, so I say this is moot to be honest.

Also note, that with the advent of IPSO 6, we see another 2 new modes of IPSO clustering, including the N+1 and hot standby modes which are definitely incompatible with the old 4.2 clustering implementation

Hope this helps.

Author Comment

ID: 35477555
Ok, so your saying that we need to make Upgraded (Now R71) 560 primary, break cluster, upgrade previous primary (R65, 4.2) to 6.2 and R71 then rejoin both to Cluster?
LVL 18

Expert Comment

ID: 35477889
As we have the cluster config on the new (upgraded node) and as long as SIC still works, we can simply turn off the old unit and turn on the new one.  Push policy and all will be well, with a one node cluster.

As soon as the other unit is upgraded, we can add to cluster, get CP sync working and then push policy for a working 2 node cluster

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 13 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question