Hey Matthew,
This procedure did in fact work in my lab.

I did however found another way that did not require a reboot.

Using the WebUI interface, disabling the interface had the same effect, i.e. it 
disappeared from the ClusterXL interface list. 

Curious thing is a "ifconfig eth0 down" had NOT done the trick previously.

Thanks for the tip though


-----Original Message-----
From: Mailing list for discussion of Firewall-1 
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Matthew 
Sent: Thursday, November 25, 2010 1:38 AM
Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN

We faced the same issue with some of our new installations.

For the last few versions of FireWall-1 (I'm not sure when it started exactly, 
but it is quite recent), the CLusterXL subsystem has started monitoring 
interfaces that are configured as "up" on the OS but not actually plugged in. 
We have seen that it assumes these interfaces to be down and it causes cluster 
failovers, regardless of how it is configured in the topology of the cluster 

What we found in our investigation is that the /etc/sysconfig/netconf.C file 
had the interface configured as "up" even though it wasn't plugged in. To 
resolve it, we change the "iff-up" value from (1) to (0) in the netconf.C file 
and reboot. 

We have been hoping that Check Point would make the ClusterXL subsystem work 
more closely with the Dashboard configuration, but so far it actually seems to 
be going the other way.

Another thing you can try is to define the interface in the topology and set it 
to "non-monitored private". This has worked for me occasionally, but it doesn't 
always resolve the problem.

So far, the only way we have found to completely remove the interface from the 
ClusterXL monitoring system and topology list is to change the iff-up value in 
netconf.C. Unfortunately, this does require a reboot to take effect.

Let me know how it pans out.


-----Original Message-----
From: Mailing list for discussion of Firewall-1 
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of M. N.
Sent: 24 November 2010 06:43 PM
Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN

Thanks, but I guess you didn't read the part where I said I'd like to avoid
the discntd.if file procedure.

This SK doesn't really apply as this interface is not used at all.

It doesn't explain also why the remaining interfaces eth6,7 & 8 do not
appear in ClusterXL monitored list...

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Marius
Sent: Wednesday, November 24, 2010 11:32 AM
Subject: Re: [FW-1] ClusterXL: Non-Defined interface showing as DOWN



    * "cluster_info: (ClusterXL) interface ethX of member X is down" and
"cluster_info: (ClusterXL) interface ethX of member X is up" error messages
are displayed in SmartView Tracker even though proper cabling and swithichg
is verified.
    * Some interfaces are shown as "Down" when running cphaprob -a if
command on the security gateway. 


There are inactive or disconnected interfaces on Cluster Member(s).
Cluster member interfaces are monitored by Check Point's CCP (Cluster
Control Protocol).
This protocol reports cluster member interface status to other cluster
members. When inactive or disconnected interfaces are not declared in the
$FWDIR/conf/discntd.if file, they are perceived as not working correctly and
this problem is encountered.


Perform one of the following procedures depending on the OS.


   1. Run cpstop.

   2. Open the $FWDIR/conf/discntd.if with a text editor.

   3. Add the name of each interface that you do not want tom be monitored
by ClusterXL on a separate line.


      Note: if the $FWDIR/conf/discntd.if file does not exist, create it.

   4. Save changes and exit.

   5. Reboot the machine.

   6. Repeat the same actions for the other cluster member.

For Windows:

   1. Open the regedt32 registry editor. Do not use regedit.

   2. Under HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services\CPHA
createa new value with the following characteristics:
      Value Name : DisconnectedInterfaces
      Data Type : REG_MULTI_SZ

   3. Add the interface name. To obtain the interface system name run the
command: fw getifs

   4. Add this name to the list of disconnected interfaces using the
following format:
      \device\<System Interface Name>

   5. Run cphastop and then cphastart to apply the change.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of M. N.
Sent: Wednesday, November 24, 2010 4:52 PM
Subject: [FW-1] ClusterXL: Non-Defined interface showing as DOWN

We have a non-defined Ethernet interface showing as DOWN on both cluster
members when a "cphaprob -a if" command is issued. This currently has no
impact as both members are showing as healthy (Active/Standby).

The SmartDashboard effectively does NOT show eth0 as it'suppose to and a
security policy push & reboot did not solve it.


I was just wondering if there's a way to make this disappear without having
to resort to the documented "discntd.if" file procedure.


SPLAT R71.20 Cluster

ClusterXL - HA Mode

Open Server


[exp...@passive-fw]# ifconfig eth0

eth0        Link encap:Ethernet  HWaddr F0:4D:A2:06:56:AB  

            UP BROADCAST MULTICAST  MTU:1500  Metric:1

            RX packets:0 errors:0 dropped:0 overruns:0 frame:0

            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

            collisions:0 txqueuelen:1000 

            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

            Interrupt:146 Memory:d4000000-d4012100




[exp...@passive-fw]# cphaprob -a if


Required interfaces: 5

Required secured interfaces: 1


eth0       DOWN (4283.2 secs)    non sync(non secured), broadcast

eth1       UP                    non sync(non secured), multicast

eth2       UP                    non sync(non secured), multicast

eth3       UP                    non sync(non secured), multicast

eth4       UP                    sync(secured), multicast

eth5       UP                    non sync(non secured), multicast


Virtual cluster interfaces: 4


eth1            X        

eth2            X       

eth3            X         

eth5            X        




To set vacation, Out-Of-Office, or away messages, send an email to
in the BODY of the email add:
set fw-1-mailinglist nomail
To unsubscribe from this mailing list,
please see the instructions at
If you have any questions on how to change your subscription options, email

Scanned by Check Point Total Security Gateway.

Scanned by Check Point Total Security Gateway.

To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
To unsubscribe from this mailing list,
please see the instructions at
If you have any questions on how to change your
subscription options, email

Scanned by Check Point Total Security Gateway.

To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
To unsubscribe from this mailing list,
please see the instructions at
If you have any questions on how to change your
subscription options, email

Scanned by Check Point Total Security Gateway.

To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
To unsubscribe from this mailing list,
please see the instructions at
If you have any questions on how to change your
subscription options, email


To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
To unsubscribe from this mailing list,
please see the instructions at
If you have any questions on how to change your
subscription options, email

Reply via email to