Support Center > Search Results > SecureKnowledge Details
R80.30 cluster, with CCP Encryption enabled, managed by an R80.10 Security Management comes up in Active/Active state
Symptoms
  • R80.30 cluster, with CCP Encryption enabled, comes up in Active/Active mode when the cluster is managed by an R80.10 Security Management
  • CCP Encryption feature is enabled and CCP is sent and received on both cluster members.
    CCP Encryption default configuration:
    - On kernel 3.10 - the feature is Enabled by default
    - On kernel 2.6 - the feature is Disabled by default
  • cluster debug shows the following:
    @;1490; 9Sep2019 17:19:46.634202;[vs_0];[tid_1];[fw4_1];fwha_load_ccp_enc_key: Sending CCP Encryption key trap;
    @;1490; 9Sep2019 17:19:46.634204;[vs_0];[tid_1];[fw4_1];fwha_change_ccp_enc_key: called by fwha_decrypt_fwhap_msg;
    @;1490; 9Sep2019 17:19:46.634205;[vs_0];[tid_1];[fw4_1];fwha_change_ccp_enc_key: CCP Encryption key was not loaded during policy installation;
    @;1490; 9Sep2019 17:19:46.634207;[vs_0];[tid_1];[fw4_1];FW-1: fwhamultik_event_add: changing multik value fwha_event_queue_tail.;
    @;1490; 9Sep2019 17:19:46.634211;[vs_0];[tid_1];[fw4_1];fwha_set_ccp_dec_key_status: member 1 decryption key changed to ;
    @;1490; 9Sep2019 17:19:46.634212;[vs_0];[tid_1];[fw4_1];fwha_set_ccp_dec_key_status: member 2 decryption key changed to ;
    @;1490; 9Sep2019 17:19:46.634213;[vs_0];[tid_1];[fw4_1];fwha_change_ccp_dec_key: CCP Encryption key was not loaded during policy installation;
    @;1490; 9Sep2019 17:19:46.634214;[vs_0];[tid_1];[fw4_1];fwha_decrypt_ccp_init: CCP Decryption key not configured for mem 2;
    @;1490; 9Sep2019 17:19:46.634215;[vs_0];[tid_1];[fw4_1];fwha_decrypt_ccp: Failed to initialize key for mem 2;
    @;1490; 9Sep2019 17:19:46.634216;[vs_0];[tid_1];[fw4_1];fwha_decrypt_fwhap_msg: failed to decrypt data;
    
Cause

The cluster CCP Encryption feature is only supported on Security Management version R80.20 or higher.

Since R80.30 kernel 3.10 has the CCP encryption feature enabled by default - the issue will occur on kernel 3.10
However, as R80.30 kernel 2.6 has CCP encryption feature disabled by default - the issue will not occur on kernel 2.6 (unless enabled by the administrator)


Solution
Note: To view this solution you need to Sign In .