Technical data
VSX Diagnostics and Troubleshooting
Check Point VSX Administration Guide NGX R67 | 182
Possible Causes
How to Resolve
Missing or invalid VSX gateway/cluster
licenses. Run fw vsx stat on all
gateways, and make sure that the output
says Number of Virtual Systems allowed
by license: is greater than 0.
Obtain a VSX and install a valid license for each
VSX gateway or cluster member.
Time or time zone mismatch between
the management and the gateway. For
proper SIC operation, the time, date and
time zone must be synchronized between
the management server and gateways/
cluster members.
Execute the /bin/date -u command on
all machines, to obtain the correct
UTC/GMT time. The machines can be in
different time zones, as long as their
UTC/GMT times match.
Change the time, date and time zone on the
management and/or the gateway(s) so that their
UTC/GMT times match. Refer to you operating
system documentation for the exact commands
needed to accomplish this.
Internal Host Cannot Ping Virtual System
After defining a Virtual System with an internal VLAN interface, an internal host on that VLAN cannot ping
the Virtual System internal or external IP address.
Possible Causes
How to Resolve
A policy allowing the communication was
not installed on the Virtual System. Note
that after creating a Virtual System, it has a
default policy that blocks all traffic.
Install a policy on the Virtual System that enables
the traffic. Check with the SmartView Tracker that
the Virtual System is allowing the traffic.
There is the VLAN configuration problem
on a switch, or physical cable problem.
Check the switch configuration. Make sure that
VLAN tag configured on the switch is the same as
used for the Virtual System VLAN interface.
Check the cables, and make sure that you have
plugged the cable from the switch to the correct
port on the VSX gateway or cluster members.
Incorrect routing on adjacent routers or
hosts.
Check the routing tables on intermediate routers
and hosts. You can use tcpdump on the relevant
VLAN interface on the VSX gateway or cluster
member to verify that the traffic is arriving to and
leaving the VSX machine.
Incorrect IP address or net mask defined
on the Virtual System VLAN interface.
Check the IP address and the net mask assigned
to the Virtual System internal VLAN interface.