topic Re: Failover Issue with AWS deployment in Cloud Firewall

Failover Issue with AWS deployment

Abhishek_Kumar1 — Thu, 05 Sep 2019 20:21:01 GMT

Hi All

We have deployed Firewall in AWS in HA.

We have multiplease server configure in Static nat which is accessible from out side.

we deployed firewall in cluster, we add virtual IP as secondary IP in Active Firewall interface and other multiple IPs which used for Static NAT.

where my PRI IP:- 172.31.24.120, SEC IP :- 172.31.24.130 and vertual IP is :- 172.31.24.110

We add the route for all subnet in AWS through the active firewall Network Interface. (172.31.24.120 secondary IP 172.31.24.110)

Traffic is passing through the active firewall and everything is working fine.

when we failover the traffic from Active to Standby. after few minuted all secondary Ip is mapped with Standby Firewall network interface.

But route is not changed.

When we check the traceroute, traffic is goint through Active firewall interface 172.31.24.120. it should go through the Virtual IP (172.31.24.110)

Thats why our traffic is not working.

when we change the route manually and add the Standby Firewall Network Interface traffic started working.

and checked the Traceroute, it is going through the Virtual IP (172.31.24.110)

Please someone help me to resolve the issue.

Re: Failover Issue with AWS deployment

PhoneBoy — Mon, 09 Sep 2019 22:27:11 GMT

What version/build of gateway?
Did you deploy this as part of a CloudFormation script that we've provided or done this manually?
In general, the routes should fail over if you've deployed per the instructions: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418

Re: Failover Issue with AWS deployment

Abhishek_Kumar1 — Tue, 10 Sep 2019 10:07:28 GMT

We are using R80.20 version, and we deployed manually.
Problem is my secondary IP mapped with standby IP while failover the traffic.
But only routing table is not updating after failover.
thats why traffic is not shifted to standby FW.
We are rebuilding the firewalls with new Version R80.30 then we will verify the Failover. if any face any issue let you know.

Re: Failover Issue with AWS deployment

Abhishek_Kumar1 — Wed, 11 Sep 2019 15:12:29 GMT

We upgrade the Firewall in R80.30,

Our network interface is not updating after failover, i aws routing table.

I am pasting python script output below, please suggest,

[Expert@N-MUILPRODCFW01:0]# $FWDIR/scripts/aws_ha_test.py
Set operation succeeded

Testing if DNS is configured...
Primary DNS server is: 172.31.23.5

Testing if DNS is working...
DNS resolving test was successful

Testing metadata connectivity...
Region : eu-west-1
VPC : vpc-c56d8ba1
Domain : amazonaws.com

Testing for IAM role...
Role: Checkpoint_Cluster_R80

Testing for IAM credentials...
IAM credentials retrieved successfully

Testing cluster interface configuration...
Cluster interface configuration tested successfully

Testing connection to ec2.eu-west-1.amazonaws.com:443...
The connection was opened successfully

Comparing the system clock to AWS
Time difference is 0:00:00.799726
The system clock is synchronized

Testing AWS interface configuration...

All tests were successful!
[Expert@N-MUILPRODCFW01:0]#

Re: Failover Issue with AWS deployment

PhoneBoy — Thu, 12 Sep 2019 00:23:08 GMT

How are you checking the routing table?
You won't necessarily see it on the OS of the gateways, but reflected in AWS.
Suspect the issue is with your IAM role, particularly if you set it up manually versus using a CloudFormation script to do it.

Re: Failover Issue with AWS deployment

Abhishek_Kumar1 — Thu, 12 Sep 2019 10:17:50 GMT

routing checking on AWS only, and i already verified the IAM role as well.

not find any issue with IAM role its create as per SK104418

For your visibility i am pasting you IAM role Policy details below.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateRoute"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

Re: Failover Issue with AWS deployment

G_W_Albrecht — Thu, 12 Sep 2019 14:18:50 GMT

I would involve TAC here - AWS is only poorly documented and does change so quickly...

Re: Failover Issue with AWS deployment

Abhishek_Kumar1 — Thu, 12 Sep 2019 14:59:03 GMT

Thanks for your update,

We already engage TAC on this let see if they can provide us solution for the same.

Re: Failover Issue with AWS deployment

Abhishek_Kumar1 — Thu, 12 Sep 2019 16:31:10 GMT

We already open a case for R77.30 with same issue.

They are working on last few months, but not able to provide us solution.

now when we raise a new case they are asking, this is new deployment so we are not going to help you.

Could you please provide you any solution for that?

Re: Failover Issue with AWS deployment

PhoneBoy — Thu, 12 Sep 2019 18:47:37 GMT

The solution is not to use R77.30, as it is End of Support as of this month.
You should be using the most recent release (R80.30) in public cloud.
I believe we will be delisting R80.20 from the various marketplaces in the near future.

Re: Failover Issue with AWS deployment

Bill_wang — Tue, 30 Jun 2020 15:21:19 GMT

we have a same the problem yet...but still not been resolved now....