topic Re: Checkpoint CloudGuard HA clustering VIP issue in OCI in Cloud Firewall

Checkpoint CloudGuard HA clustering VIP issue in OCI

Akshayc — Mon, 18 Sep 2023 13:05:32 GMT

helo Peeps,

Need some direction and troubleshooting guidance on Cloudguard HA clustering in OCI. we have deployed 2 cloudguard instances in same OCI region in HA cluster. the configs are fine which i got checked from TAC as well as they are are assisting me in this issue. the problem arises when we do the failover to secondary instance and the virtaul IPs dont move to secondary firewall. When primary is active , everything works fine both N-S and E-W traffic. in cloudguard we have to assign secondary IPs to both trust and untrust Vnics of the primary firewall.

Just wondering if anybody else has experienced this same issue in OCI , Azure or AWS ? we have followed the recommended architecture from official checkpoint documents to configure this solution. we have done dynamic grouping for IAM policies as well and went through some Sk articles as well which TAC shared to implment but no luck so far.

Any leads would be highly appreciated. I also have TAC case opened for this.

Regards,

Akshay

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

PhoneBoy — Mon, 18 Sep 2023 14:29:43 GMT

What images are you using?
Seems like some sort of permissions issue on the credentials assigned to the instance.

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Akshayc — Tue, 19 Sep 2023 00:22:51 GMT

i am using R81.20 with latest hotfix take 26.

What sort of permissions do you think causing this issue? We created dynamic group and assigned highest level of IAM policy as per documentation for the cluster. Thats all they mentioned. is there something else which we are not aware of?

below is the link:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Oracle_Cloud_Getting_Started/Content/Topics-Oracle-GS/Deploying-Cluster-in-Oracle-Cloud.htm?tocpath=_____4

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Nir_Shamir — Tue, 19 Sep 2023 04:43:09 GMT

Are the VPC's and instances located in the same compartment ?

also check logs under $FWDIR/log/oracle_had.elg to see the root cause.

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Jeff_Engel — Wed, 04 Oct 2023 17:42:39 GMT

Were you able to get this working? Happy to help offline if need be.

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Akshayc — Thu, 05 Oct 2023 00:41:49 GMT

hey Jeff,

thank for reaching out. not yet. we are stuck still at same issue. Happy to have a call or discussion if you are available.

Regards,

Akshay

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Jeff_Engel — Thu, 05 Oct 2023 01:50:16 GMT

Hi Akshay,

Feel free to send me an email at jengel@checkpoint.com

In the meantime, one thing to check real quick is please ensure both cluster members NTP is configured and time is in sync. API calls will not work if system time is not within 5 minutes of actual.

Best Regards!

Jeff

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Nir_Shamir — Thu, 05 Oct 2023 05:52:25 GMT

Are the VPC's and instances located in the same compartment ?

also check logs under $FWDIR/log/oracle_had.elg to see the root cause.

Re: Checkpoint CloudGuard HA clustering VIP issue in OCI

Akshayc — Fri, 06 Oct 2023 08:10:11 GMT

hi Nir,

We ran this and found out below in the logs. We dont what the last error means

2023-09-21 14:48:46,814 OCI-CP-HA INFO Traceback (most recent call last):
File "/etc/fw/scripts/oracle_had.py", line 258, in main
reconf()
File "/etc/fw/scripts/oracle_had.py", line 72, in reconf
oci_client = oci.OCI()
File "/opt/CPsuite-R81.20/fw1/scripts/oci.py", line 292, in __init__
identity = metadata('identity/')
File "/opt/CPsuite-R81.20/fw1/scripts/oci.py", line 122, in metadata
resp.reason, data)
TypeError: __init__() missing 1 required positional argument: 'body'

does this ring any bell?

regards,