topic Re: Load balancer on port 8117 reports gw's unhealthy in Cloud Firewall

Load balancer on port 8117 reports gw's unhealthy

ajsingh — Fri, 24 Nov 2023 14:28:50 GMT

Hi All,

I recently deployed R81.10 Template in Azure with HA cluster setup. After deploying first thing I checked is my NSG on ETH1 and then Load balancing status. I found Backend Load balancer is reporting Gateways Unhealthy and Gateway's are dropping traffic from ILB :
@;2736753;[cpu_1];[fw4_2];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;
@;2736839;[cpu_3];[fw4_0];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;
@;2736912;[cpu_2];[fw4_1];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;

NSG on Backend ILB is fine and allowing all communication.

[Expert@naspdmzcpfwl1:0]# cat /etc/cloud-version
release: R81.10
take: 335
build: 991001383
platform: azure
license: byol
deployment_method: ftw
template_name: ha
template_version: 20231002
template_type: marketplace
maas_usage: 0

[Expert@naspdmzcpfwl1:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_unicast_only=1
fwmultik_sync_processing_enabled=0
fw_aws_mode=1
fw_https_consider_nat=1
fw_xff_geo=1
cloud_balancer_ip1=0xa83f8110
fw_azure_mode=1
fwha_dead_timeout_multiplier=20
fwha_if_problem_tolerance=200
cloud_balancer_port=8117

Any help? I have open TAC case too but thought to ask experts here too for faster resolution.

Re: Load balancer on port 8117 reports gw's unhealthy

the_rock — Fri, 24 Nov 2023 14:36:48 GMT

Maybe this would help?

Kind regards,

Andy

https://community.checkpoint.com/t5/Cloud-Network-Security/Azure-cloudguard-VMSS-health-probes-on-8117-and-monitor/td-p/141582#

Re: Load balancer on port 8117 reports gw's unhealthy

ajsingh — Fri, 24 Nov 2023 14:41:51 GMT

Hi,

I am using HA cluster Template. Right now I am unable to reach my gateway on ETH1 and hence no sic is established yet. I wanted to make SIC on ETH1 only so comms to firewall stays internal.

I have default policy on firewalls yet since it is a brand new setup and i have tried to unload policy too but no success.

Re: Load balancer on port 8117 reports gw's unhealthy

the_rock — Fri, 24 Nov 2023 14:44:36 GMT

Ah, now I got it. Well, in that case, we need to figure out why. Can you do traceroute to see why it fails? Did you do any captures to examine where it might be getting "stuck"?

Andy

Re: Load balancer on port 8117 reports gw's unhealthy

ajsingh — Fri, 24 Nov 2023 14:47:47 GMT

I do see traffic coming to my Eth1 on port 8117 but no reply from firewall. I just unloaded the policy too but same behavior . as soon as request reached ILB , its lost.

Re: Load balancer on port 8117 reports gw's unhealthy

ajsingh — Fri, 24 Nov 2023 14:51:13 GMT

IS ILB supposed to send traffic from below ip or from 10.x.x.5 IP?

168.63.129.16.60721 > 10.x.x.5.8117: Flags [SEW], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
09:46:19.059523 IP 168.63.129.16.60721 > 10.x.x.5.8117: Flags [SEW], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
09:46:21.074660 IP 168.63.129.16.60721 > 10.x.x.5.8117: Flags [S], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

Re: Load balancer on port 8117 reports gw's unhealthy

the_rock — Fri, 24 Nov 2023 14:52:38 GMT

Wait, do you have ILB and ELB or just ILB?

Andy

Re: Load balancer on port 8117 reports gw's unhealthy

natanelm — Sun, 26 Nov 2023 08:11:23 GMT

Hi @ajsingh,

Let me see if I understood correctly: you are trying to create the cluster object in the smart console, but you cannot communicate with the gateway on ETH1 (SIC is failing). Is your management server trying to access the gateway through ETH1?

For the health probes, CloudGuard Gateways will only respond to them after the policy installation, and only the active member will do so (the standby member does not respond by design).

Please refer to step 5 in our guide to set up the GW objects in the SmartConsole: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Content/Topics-Azure-HA/Workflow.htm?TocPath=Workflow%20for%20Setting%20Up%20a%20High%20Availability%20Cluster%20in%20Azure%7C_____5#Step_5__Configure_Cluster_Objects_in_SmartConsole

I hope this clarifies your question.

Thanks,
Natanel