Hey Matthew, This procedure did in fact work in my lab. I did however found another way that did not require a reboot.
Using the WebUI interface, disabling the interface had the same effect, i.e. it disappeared from the ClusterXL interface list. Curious thing is a "ifconfig eth0 down" had NOT done the trick previously. Thanks for the tip though Minh -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Matthew Odendaal Sent: Thursday, November 25, 2010 1:38 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN We faced the same issue with some of our new installations. For the last few versions of FireWall-1 (I'm not sure when it started exactly, but it is quite recent), the CLusterXL subsystem has started monitoring interfaces that are configured as "up" on the OS but not actually plugged in. We have seen that it assumes these interfaces to be down and it causes cluster failovers, regardless of how it is configured in the topology of the cluster object. What we found in our investigation is that the /etc/sysconfig/netconf.C file had the interface configured as "up" even though it wasn't plugged in. To resolve it, we change the "iff-up" value from (1) to (0) in the netconf.C file and reboot. We have been hoping that Check Point would make the ClusterXL subsystem work more closely with the Dashboard configuration, but so far it actually seems to be going the other way. Another thing you can try is to define the interface in the topology and set it to "non-monitored private". This has worked for me occasionally, but it doesn't always resolve the problem. So far, the only way we have found to completely remove the interface from the ClusterXL monitoring system and topology list is to change the iff-up value in netconf.C. Unfortunately, this does require a reboot to take effect. Let me know how it pans out. Matthew -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of M. N. Sent: 24 November 2010 06:43 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN Thanks, but I guess you didn't read the part where I said I'd like to avoid the discntd.if file procedure. This SK doesn't really apply as this interface is not used at all. It doesn't explain also why the remaining interfaces eth6,7 & 8 do not appear in ClusterXL monitored list... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Marius Banica Sent: Wednesday, November 24, 2010 11:32 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN sk30060 Symptoms * "cluster_info: (ClusterXL) interface ethX of member X is down" and "cluster_info: (ClusterXL) interface ethX of member X is up" error messages are displayed in SmartView Tracker even though proper cabling and swithichg is verified. * Some interfaces are shown as "Down" when running cphaprob -a if command on the security gateway. Cause There are inactive or disconnected interfaces on Cluster Member(s). Cluster member interfaces are monitored by Check Point's CCP (Cluster Control Protocol). This protocol reports cluster member interface status to other cluster members. When inactive or disconnected interfaces are not declared in the $FWDIR/conf/discntd.if file, they are perceived as not working correctly and this problem is encountered. Solution Perform one of the following procedures depending on the OS. For UNIX: 1. Run cpstop. 2. Open the $FWDIR/conf/discntd.if with a text editor. 3. Add the name of each interface that you do not want tom be monitored by ClusterXL on a separate line. Example: eth4 eth5 eth6 Note: if the $FWDIR/conf/discntd.if file does not exist, create it. 4. Save changes and exit. 5. Reboot the machine. 6. Repeat the same actions for the other cluster member. For Windows: 1. Open the regedt32 registry editor. Do not use regedit. 2. Under HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services\CPHA createa new value with the following characteristics: Value Name : DisconnectedInterfaces Data Type : REG_MULTI_SZ 3. Add the interface name. To obtain the interface system name run the command: fw getifs 4. Add this name to the list of disconnected interfaces using the following format: \device\<System Interface Name> 5. Run cphastop and then cphastart to apply the change. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of M. N. Sent: Wednesday, November 24, 2010 4:52 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] ClusterXL: Non-Defined interface showing as DOWN Guys, We have a non-defined Ethernet interface showing as DOWN on both cluster members when a "cphaprob -a if" command is issued. This currently has no impact as both members are showing as healthy (Active/Standby). The SmartDashboard effectively does NOT show eth0 as it'suppose to and a security policy push & reboot did not solve it. I was just wondering if there's a way to make this disappear without having to resort to the documented "discntd.if" file procedure. Configuration: SPLAT R71.20 Cluster ClusterXL - HA Mode Open Server [exp...@passive-fw]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr F0:4D:A2:06:56:AB UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:146 Memory:d4000000-d4012100 Output: [exp...@passive-fw]# cphaprob -a if Required interfaces: 5 Required secured interfaces: 1 eth0 DOWN (4283.2 secs) non sync(non secured), broadcast eth1 UP non sync(non secured), multicast eth2 UP non sync(non secured), multicast eth3 UP non sync(non secured), multicast eth4 UP sync(secured), multicast eth5 UP non sync(non secured), multicast Virtual cluster interfaces: 4 eth1 X eth2 X eth3 X eth5 X Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= IƧç[È(^rCè{S¢Ö¥Iç.®+r«^Á¬ÿ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================