https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/117579#M16613 <P>Last week we could see the same behaviour and too our MVC upgrade was disruptive.</P> <P>After policy install with R80.40 and enabling MVC we got two active nodes. One with R80.30 and the other with R80.40.</P> <P>Neither of the nodes could see the other one. We did not had time for troubleshooting in this maintenance schedule, so we stopped clustering on the older node with cphastop. After upgrade of both nodes to R80.40 everything was fine.</P> <P>The difference to all my other successfully upgrades is the&nbsp;<SPAN>"Cluster IP Addresses on Different Subnets". Following your post&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11456">@Kaspars_Zibarts</a>&nbsp;maybe there is a problem with the upgrade procedure in case of using these feature. I‘ll try to replicate this in my lab or maybe someone here has experience with this ?</SPAN></P> <P>Wolfgang</P> Mon, 03 May 2021 19:20:13 GMT Wolfgang 2021-05-03T19:20:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/116704#M16465 <P>Probably not that widely used feature having Cluster VIP in one subnet and actual interfaces in different as described in ClusterXL admin guide, "Cluster IP Addresses on Different Subnets" section:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11484i7F75B3CA526E199D/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Yesterday I noticed interesting behaviour whilst performing multi-version cluster upgrade (R80.30 &gt; R80.40)</P> <P>After doing initial upgrade on FW2, I attempted to download and install latest Jumbo but gateway failed to connect to Checkpoint services. Logs showed drops on Sync interface on FW1 with source IP of FW2 external interface, say side-B in the diagram 192.168.2.2, destination being updates.checkpoint.com.&nbsp;</P> <P>Normally this is covered by implied rules as interface IPs and VIPs are part of the cluster.</P> <P>In this case 192.168.2.2 was not considered as cluster IP so I had to add explicit rule to allow traffic from 192.168.2.x IP addresses out to Checkpoint services and then it all started working. Including other services like updatable objects.</P> <P>In more practical terms this was the change in the rule (note that IPs differ from example diagram above)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11486i1F99606ABA9AEA26/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;After pushing policy (separately as they run different versions) to both members all started working.</P> <P>In case it helps someone else!</P> Fri, 23 Apr 2021 07:53:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/116704#M16465 Kaspars_Zibarts 2021-04-23T07:53:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/117579#M16613 <P>Last week we could see the same behaviour and too our MVC upgrade was disruptive.</P> <P>After policy install with R80.40 and enabling MVC we got two active nodes. One with R80.30 and the other with R80.40.</P> <P>Neither of the nodes could see the other one. We did not had time for troubleshooting in this maintenance schedule, so we stopped clustering on the older node with cphastop. After upgrade of both nodes to R80.40 everything was fine.</P> <P>The difference to all my other successfully upgrades is the&nbsp;<SPAN>"Cluster IP Addresses on Different Subnets". Following your post&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11456">@Kaspars_Zibarts</a>&nbsp;maybe there is a problem with the upgrade procedure in case of using these feature. I‘ll try to replicate this in my lab or maybe someone here has experience with this ?</SPAN></P> <P>Wolfgang</P> Mon, 03 May 2021 19:20:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/117579#M16613 Wolfgang 2021-05-03T19:20:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/117594#M16614 <P>Kaspars, do you have these 192.168.2.x objects NATed?</P> <P>I've recently encountered different issue with Cluster IP addresses on different subnets, but it was VTI related.</P> Tue, 04 May 2021 02:59:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cluster-with-different-IP-subnets-configuration-MVC-cluster/m-p/117594#M16614 Vladimir 2021-05-04T02:59:00Z