In a Hyper-V environment, the Virtual Machine's clock moves faster than the hardware time
||Security Gateway, Security Management, Multi-Domain Management / Provider-1
||R77.30, R80.10, R80.20
|Platform / Model
- In a Hyper-V environment, the Virtual Machine's clock (OS time) moves faster than the hardware (Host) time (2-3 seconds every minute).
As a result, the Virtual Machine's clock drift can accumulate rapidly and prevent NTP from working correctly.
Hyper-V clocksource does not work on 64-bit kernel.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version (upgrade Security Management Server / upgrade Multi-Domain Security Management Server).
For other supported versions, Check Point can supply a Hotfix.
Follow these steps:
Hyper-V integration services should not offer time sync.
Uncheck this setting in the "Advanced" section of hardware properties of the Hyper-V VM.
If this is not acceptable, then proceed to the next step.
Contact Check Point Support to get a Hotfix for this issue (Issue ID 02550557).
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPInfo file from Gaia OS running within Hyper-V that is involved in the case.
Hotfix installation instructions:
Hotfix has to be installed on Gaia OS running within Hyper-V.
- In cluster environment, this procedure must be performed on all members of the cluster.
- In Management HA environment, this procedure must be performed on both Management Servers.
Using CPUSE - On Security Gateway / Management Server running Gaia OS R75.40 and above:
Make sure to install the latest build of the CPUSE Agent.
Refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent):
- Section "(4-A-c)" / "(4-A-d)" - refer to import instructions for Offline procedure
- Section "(4-B-a)" - refer to installation instructions for Hotfixes
You can also use the sk111158 - Central Deployment Tool (CDT) to install this hotfix on Security Gateways.
Note: Reboot is required.
Using Legacy CLI - On VSX Gateway running Gaia OS R75.40VS - R77.30:
Note: You must be connected either over Console, or LOM card (SSH session could be disconnected). On VSX versions R75.40VS - R77.30, the Gaia CPUSE does not support installation of hotfixes (refer to sk92449 - section "(2)" - "VSX Gateways").
Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack and install the hotfix package:
[Expert@HostName:0]# cd /some_path_to_fix/
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
[Expert@HostName:0]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz
Reboot the machine.
- 01621547 , 02550557 , 02555731 , 02553922
- PRHF-329 , PRHF-627 , PRHF-1452