topic Re: Failvoer issue on Vsec GW Cluster R81.20 in Cloud Firewall

Failvoer issue on Vsec GW Cluster R81.20

LostBoY — Tue, 25 Apr 2023 18:34:31 GMT

I have a Checkpoint vsec Cluster in AWS on R80.40. Recently i upgraded it to R81.20 however somehow the HA functionality is not working on R81.20

As in AWS ..default route is pointed towards eni of active member (say Member A) and when a failover occurs eni changes automatically to that of secondary member (Mem B). However this is not happening on R81.20 in my case , even after simulating the failover default route still points to eni of Member A even though Member B is active. Is there any specific config required to be done on R81.20 wrt failover ?

any help is appreciated.

Re: Failvoer issue on Vsec GW Cluster R81.20

the_rock — Tue, 25 Apr 2023 19:56:14 GMT

Have not heard of issue like this yet. What happens if you run cphaprob commands on both members, does it show correct state as it should after failover? It would make sense that ENI would automatically switch over to other member upon failover, I agree 100%.

Do you see any relevant info/logs on AWS side at all?

Re: Failvoer issue on Vsec GW Cluster R81.20

LostBoY — Tue, 25 Apr 2023 20:59:06 GMT

Cphaprob commands show the correct state after i simulate the failover.. its just that the eni isnt switching.. at aws side also i didnt find anything.

There is one thing though ..in r80.40 i used to run these as Active active.. but in r80.20 documentation for cloudguard its specifically mentioned to work as an active standby unit with an additonal option in smartconsole as "use in geo cloud mode".

I wonder if thats the issue and it isnt supposed to run in active active in a way as it did in r80.40

Re: Failvoer issue on Vsec GW Cluster R81.20

the_rock — Tue, 25 Apr 2023 21:30:47 GMT

Im pretty sure in R81+, you can only run as A-P, NOT A-A

Re: Failvoer issue on Vsec GW Cluster R81.20

Dmitry_Gorn — Thu, 27 Apr 2023 05:29:31 GMT

Hi,

That would depend on which solution did you upgrade from - single az or cross az cluster.

R81.20 cross az cluster uses a different Active-Standby architecture.

Please refer to the updated upgrading documentation index and specifically to the following document:

How to migrate CloudGuard Network Geo Cluster R81.10 or lower to R81.20 Cross AZ Cluster

In case of upgrading a cross-az cluster, additional steps are required to complete the upgrade.

Regards,

Dmitry

Re: Failvoer issue on Vsec GW Cluster R81.20

Nir_Shamir — Thu, 27 Apr 2023 05:30:14 GMT

It doesn't matter if it's A/A or A/P , both work in the same way with the external route table.

Check $FWDIR/log/aws_had.elg log file if there are any exceptions there

Re: Failvoer issue on Vsec GW Cluster R81.20

LostBoY — Thu, 27 Apr 2023 09:01:40 GMT

Issue is resolved now..turned out there was an issue with the GW DNS due to which it wasnt able to connect to AWS Services which would have led to a route swithover.

as soon as DNS was resolved route switch is working as expected.

Thank you to everyone who replied to this thread 🙂

Re: Failvoer issue on Vsec GW Cluster R81.20

the_rock — Thu, 27 Apr 2023 09:04:05 GMT

Good job and tx for sharing!

Re: Failvoer issue on Vsec GW Cluster R81.20

LostBoY — Thu, 27 Apr 2023 09:05:20 GMT

I followed this exact same document while upgrding..however i tried to configure my cluster as A/A as well as A/S and both seem to work fine. In R80.40 use geo cluster with A/S wasnt an option which is available in R81. I wonder why A/A is not mentioned in the document there as it seems to be working fine.

Re: Failvoer issue on Vsec GW Cluster R81.20

LostBoY — Thu, 27 Apr 2023 09:24:17 GMT

Yea in the documentation also only A/P is mentioned but i configured my R81 with A/A and it seems to work fine.

I think may b the A/P option with "use Geo Mode" in R81 serves the same purpose as an A/A cluster as the external routing also is similar