For current Check Point releases, application monitoring checks the HA status too.Even when Check Point is running, the
show application vap-group command shows Application State "Down" and the VAP Status is Up but not Active in
CBS# show application vap-group
VAP Group : fw
App ID : CPSG
Name : Check Point Security Gateway
Version : R75
Release : 10
Start on Boot : yes
App Monitor : on
App State (fw_1) : Down App State (fw_2) : Down
CBS# show ap-vap-mapping
Module Slot Status VAP IP Address VAP Group Index Master (true/false)
AP2 3 Up 188.8.131.52 fw 1 true
AP5 6 Up 184.108.40.206 fw 2 false
For older versions of Check Point applications, the application monitoring verifies only if the processes FWD and CPD are running.
For all current Check Point releases (CPSG R70, CBI version 220.127.116.11-2 and newer), application monitoring checks the HA status too.
There are situations that can cause the HA process to not start. For example:
A security policy has not been installed yet
Different application versions exist between cluster members
Any problem with the Cluster configuration
A mismatch in CoreXL settings on cluster members
If the HA process does not start , the VAP application state will be shown as "Down".
You can manually check the output of the application monitor script by running the following command from the VAP member:
cpd is RUNNING
fwd is RUNNING
HA is NOT READY
Reporting application state: DOWN
Note: the output of the
app_status script differs between RPM and CBI Check Point installation. See KB Article #5714 for more information.
To troubleshoot Check Point application status issues, following commands are useful:
Restart application manually with cpstop and cpstart to check if the services are coming up and policy can be fetched from the CP Management Server.
Run ping from one Cluster member on the sync circuit and tcpdump on the receiving member to check for any connectivity issue. Ping will not get through if security policy does not allow it.
Run fw ctl multik stat on each Cluster member to verify identical CoreXL settings.
Imported Document ID: 000019476
Subscribing will provide email updates when this Article is updated. Login is required.