Beruflich Dokumente
Kultur Dokumente
Connectivity Upgrade
Best Practices
Classification: [Protected]
© 2017 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Connectivity
Upgrade R77.x and R80.x Versions Best Practices.
Revision History
Date Description
24 January 2017 Dynamic Routing support and minor improvements
Introduction
NEW! Cluster Connectivity Upgrade supports Dynamic Routing Synchronization in R80.10, in
R77.30DR (R77.30 Jumbo Hotfix Take 198 and higher), and in R77.20DR (R77.20 Jumbo Hotfix Take
198 and higher).
A Connectivity Upgrade (CU) lets you upgrade ClusterXL clusters on live systems without
downtime. In a Connectivity Upgrade:
• Connection failover is guaranteed.
• There is always at least one active cluster member that handles the traffic.
• Connections are synchronized among cluster members which run different Check Point
software versions.
Supported Versions
Check Point Connectivity Upgrade (CU) synchronizes existing connections to maintain connectivity
during cluster upgrades.
Connectivity Upgrade is supported for these releases:
Upgrade from
R77.20 R77.20DR R77.30 R77.30DR R80.10
Version
R75.40VS CU CU + DR CU CU + DR CU + DR
R75.46 CU CU + DR CU CU + DR CU + DR
R75.47 CU CU + DR CU CU + DR CU + DR
R76 CU CU + DR CU CU + DR CU + DR
R77 - - CU CU + DR CU + DR
R77.10 - - CU CU + DR CU + DR
R77.20 - - CU CU + DR CU + DR
R77.20DR - - CU CU + DR CU + DR
R77.30 - - - - CU + DR
R77.30DR - - - - CU + DR
Note:
• For upgrade action plans for Dynamic Routing in Connectivity Upgrades see sk107042
http://supportcontent.checkpoint.com/solutions?id=sk107042.
• Dynamic Routing in Connectivity Upgrades for VRRP clusters is supported only in upgrades
from R77.30 to R80.10.
To check the cluster member's state and to get its IP address and the cluster
member ID:
Run the cphaprob stat command on the cluster member.
5. Make sure that the Connectivity Upgrade is complete. ("Making Sure the Upgrade Completed"
on page 13)
6. On the Active cluster member, run these commands:
a) cphaprob stat
Make sure the local member is in Active or Active Attention state, and the upgraded
member is in Down state.
b) fwaccel off
Disable acceleration in order to synchronize delayed connections (templates).
c) cpstop
The connections fail over to the upgraded cluster member.
7. On the upgraded cluster member, run: cphaprob stat
Make sure that it is now in the Active state.
8. On the new upgraded cluster member, run: cphacu stat
Make sure it handles the traffic.
9. Upgrade the former Active cluster member.
Make sure to reboot it after the upgrade.
10. Install Policy.
After the cluster upgrade is complete, the Cluster Control Protocol works in broadcast mode. To
return it to multicast mode, on all cluster members, run: cphaconf set_ccp multicast
To check the cluster member's state and to get its IP address and the cluster
member ID:
Run the cphaprob stat command on each of the gateways.
Make sure that the non-upgraded member is in Active or Active Attention state, and that the
upgraded member is in Down state.
5. On the upgraded member, run:
cphacu start <Sync IP of Active_GW> <Member ID of Active_GW>
For R80.10, R77.30DR and R77.20DR, run:
cphacu start <no_dr>
If dynamic routing synchronization is not required, use the no_dr option.
6. Make sure that the Connectivity Upgrade is complete ("Making Sure the Upgrade Completed"
on page 13).
7. In VS 0, on the non-upgraded member, run:
a) fwaccel off -a
Disable acceleration in order to synchronize delayed connections (templates).
b) cpstop
8. On the upgraded member, run:
a) cphaprob stat
Make sure that it is now in Active state.
b) Run: cphacu stat
Make sure that it handles the traffic.
9. Upgrade the non-upgraded cluster member with a clean install.
Make sure to reboot the gateway after the upgrade.
To check the cluster member's state and to get its IP address and the cluster
member ID:
• Run the cphaprob stat command on the cluster member.
2. In SmartDashboard:
a) In the Gateway Cluster General Properties window, change the Cluster version to the
upgraded one.
b) In the Install Policy window > Installation Mode > select Install on each selected gateway
independently and clear For Gateway Clusters install on all the members, if it fails do not
install at all.
c) Install the security policy on the cluster.
Note - The policy successfully installs on the Ready cluster member and fails to install on the
Active cluster member. This is expected, ignore the warning.
3. Run cpstop on all of the upgraded members except one.
4. On the upgraded member that is not stopped, run: cphaprob stat
Make sure the state is Ready.
5. On the non-upgraded member, run: cphaprob stat
Make sure the state is Active or Active Attention, and all upgraded members are in Down
state.
6. On the upgraded member that is not stopped, run:
cphacu start <Sync IP of Active_GW> <Member ID of Active_GW>
For R80.10, R77.30DR and R77.20DR, run:
cphacu start <no_dr>
If dynamic routing synchronization is not required, use the no_dr option.
7. Make sure that the connectivity upgrade is complete. ("Making Sure the Upgrade Completed"
on page 13)
8. On the non-upgraded member, run:
a) fwaccel off
Disable acceleration in order to synchronize delayed connections (templates).
b) cpstop
9. On the upgraded member that is not stopped, run:
a) cphaprob stat
Make sure that it is now in Active state.
b) Run: cphacu stat
Make sure that it monitors the traffic.
10. Run cpstart on the all of the upgraded members that were stopped.
11. Upgrade the remaining members.
Reboot the gateway after the upgrade.
9. Run cpstart on the all of the upgraded members that were stopped.
10. Upgrade the last cluster member with a clean install.
Make sure to reboot the gateway after the upgrade.
Make sure that all the interfaces on this member are in Master state.
4. On the upgraded cluster member, run:
a) cphaprob stat
Make sure that the cluster member is in Ready state.
b) show vrrp
Make sure that all the interfaces on this member are in Backup state.
c) cphacu start <no_dr>
Add no_dr to the command only if dynamic routing synchronization is not necessary.
d) cphacu stat
Make sure that the Active cluster member (the peer) monitors the traffic.
5. On the Active cluster member, run:
a) show vrrp
Make sure that the Active cluster member monitors the traffic.
b) fwaccel off
Disable acceleration in order to synchronize delayed connections (templates).
c) cpstop
The connections fail over to the upgraded cluster member.
6. On the upgraded cluster member, run:
a) cphaprob stat
Make sure that the upgraded cluster member is in Active state.
b) show vrrp
Make sure that all the interfaces on this member are in Master state.
7. On the new upgraded cluster member, run:
cphacu stat
Make sure the new upgraded cluster member monitors the traffic.
8. Upgrade the former Active cluster member.
• Reboot the former Active cluster member after the upgrade.
• Make sure that the VRRP interface priorities are lower on this member to prevent the
possibility of unwanted failover.
9. Install Policy.
After the cluster upgrade is complete, the Cluster Control Protocol is in broadcast mode. To
revert it to multicast mode, on all cluster members, run:
cphaconf set_ccp multicast
For Dynamic Routing synchronization on R80.10, R77.30DR, and R77.20DR: Make sure that the
dynamic routes on the new member (the upgraded cluster member) are similar to the routes on
the old member (the cluster member before the upgrade). Run: show route summary
Error Description
Failed to get kernel parameter ### CU could not retrieve the kernel parameter, which can
happen if CU is on the old member.
You must specify the Sync IP and the The user did not pass the sync IP and member ID to the
member Id of the old member CU script.
The member Id must be between 1-4 An invalid member ID was passed to the CU script.
Only a single instance of connectivity The CU script is already running and the user is trying to
upgrade can run at a time run CU again. Run ps to make sure that the CU script is
running and wait until CU finishes running.
Failed to get member state CU could not get the cluster state of the local member.
Run cphaprob on the local member and make sure that
the output shows the state of the local member.
Error Description
Connectivity upgrade failed since the CU only runs if the state of the new member is Ready. CU
local member is not in Ready state checks many times if the member is in Ready state, if the
member is still not in Ready state then the CU script will
exit.
Connectivity upgrade failed since For Security Gateways only: CU only runs if the
Synchronization PNote is set to Synchronization PNote is ok. CU checks many times if the
problem Synchronization PNote is ok, and if not, the CU script will
exit. If you get this error, install policy and run the cphacu
script again.
Connectivity upgrade failed because When CU starts, the two members begin to communicate,
CPHAPROB cannot see the old and the new member sees the old member as Active.
member's state. Check communication on the sync interface, and make
sure that the MAC Magic Configuration is correct.
Failed to enable Connectivity CU could not update the kernel about the status of this
Upgrade kernel parameter.
This can happen if CU is run on a version that does not
Failed to get fwha_version
support CU.
Failed to get
fwha_cu_override_last_heard_ccp_v
ersion of the other member
Failed to get
fwha_cu_last_heard_ccp_version of
the other member
Failed to initialize full sync for VS CU failed to start a full sync, which synchronizes the
###; Connectivity Upgrade failed connections from the old member to the new member.
Failed to run fullsync for VS ###; The full sync was started but did not finish. This means
Connectivity Upgrade failed that some of the connections were not synchronized.
Failed to run cphacu state for VS The script cphacu state failed to show the current state
### of connectivity CU.
Error printing connections table per CU failed to print the connection table summary for each
vs VS.
Limitations
Some features do not survive after failover to an upgraded cluster member: