Support Center > Search Results > SecureKnowledge Details
During policy installation, Virtual Systems on VSX VSLS cluster shortly go to "Down" state due to "Interface Active Check" pnote
Symptoms
  • During policy installation on Virtual Systems of VSX VSLS cluster:

    • Output of "cphaprob state" command shows that Virtual Systems shortly go to "Down" state

    • Output of "cphaprob -a if" command shows "Inbound: UP" and "Outbound: DOWN" on the problematic Virtual Systems

    • Output of "cphaprob list" command shows on the problematic Virtual Systems:

      Device Name: Interface Active Check
      Current state: problem
    • Cluster debug "fw ctl debug -m cluster + stat pnote" shows:

      • ;FW-1: calc_if_statistics:   trusted IN: UP 0 ASSUMED UP 1 OUT: UP 0 ASSUMED UP 1;
        ... ...
        ;FW-1: fwha_report_id_problem_status: State (FAILURE) reported by device Interface Active Check (blocking) ...;
        ... ...
        ;fwha_report_id_problem_status: Try to update state to FAILURE due to pnote Interface Active Check (desc 0 trusted interfaces required, only 1 up);
      • ;CPHA: Phase I: Looking for machines in policy update mode...found 2 machines.;
        ;CPHA: Sending Policy ID change request. Status: 3;
        ;CPHA: Phase II: Looking for machines ready to update policy...found 1 machines.;
        ;CPHA: waiting for more machines.;
        ... ...
        ;CPHA: Policy change timeout has occured. More than <X> seconds have ellapsed since last policy update package;
Cause
  • Issue 02338729: During policy installation, cluster resets its number of required trusted (sync) interfaces and updates it only at a later stage.
    In some cases, policy installation might take longer than expected, which would lead to Critical Device "Interface Active Check" reporting its state as "problem". In turn, this leads to the Virtual System to change its cluster state to "Down".

  • Issue 02338820: During policy installation on VSX cluster members, at the end of policy installation on VS0, it sends an update messages to all other Virtual Systems to notify them that they need to set configure themselves, and all Virtual Systems are required to install the same policy that they already have. This could lead to Critical Device "Interface Active Check" reporting its state as "problem". In turn, this leads to the Virtual System to change its cluster state to "Down".

  • Issue 02338954: In some cases, policy installation on a cluster member might take longer than expected (running the cluster debug "fw ctl debug -m cluster + conf" would show "CPHA: Policy change timeout has occured. More than X seconds have ellapsed since last policy update package").

  • Issue 01872681: Policy installation process of one VSX cluster member might begins much later than on the other VSX cluster members. All cluster members must synchronize their policy installation in order to have the same policy at any given time. If the time difference between the beginning of the cluster policy installation is greater than the predetermined allowed timeout period, the cluster policy installation will fail.


Solution
Note: To view this solution you need to Sign In .