topic Re: VLAN subinterface not participating in HA in Firewall and Security Management

VLAN subinterface not participating in HA

Quentin_Antrim — Fri, 13 Aug 2021 15:34:28 GMT

Have an issue with VLAN subinterfaces not participating in HA.

R80.10, HW 6500 qty 2 running in active/active

I've got 3 VLAN subinterfaces on eth1-04:

eth1-04.200

eth1-04.300

eth1-04.500

Prior to yesterday, eth1-04.200 and eth1-04.300 were the only existing subinterfaces and they both were participating in HA. Yesterday, I set up new VLAN subinterface eth1-04.500 in Gaia and as a Cluster interfaces in FW gateway object, etc.

Afterwards, eth1-04.500 was not showing up in HA at either command line or in SmartConsole "Gateways & Servers".

Decided to go ahead and individually reboot the two enforcement points as a hopefully simple way to clear that up, and they had been up for a long time so wanted to refresh anyway.

Afterwards, eth1-04.500 did begin to show up in HA, but then eth1-04.300 stopped showing up in HA. Further reboot and policy pushes do not change this.

Here is cphaprob -a if from one gateway:

[Expert@chw_pbx_bbfw1:0]# cphaprob -a if

Required interfaces: 4
Required secured interfaces: 1

Sync UP sync(secured), multicast
bond41 UP non sync(non secured), multicast, bond Load Sharing
eth1-04 UP non sync(non secured), multicast (eth1-04.500)
eth1-04 UP non sync(non secured), multicast (eth1-04.200)

Virtual cluster interfaces: 4

bond41 10.150.2.188
eth1-04.500 10.5.1.21
eth1-04.200 10.2.0.1
eth1-04.300 10.3.6.49

Any idea what happened?

Thanks.

Q (Quentin)

Re: VLAN subinterface not participating in HA

Bob_Zimmerman — Fri, 13 Aug 2021 16:48:12 GMT

By default, Check Point only monitors the highest VLAN ID and the lowest VLAN ID on each interface. The other interfaces still get cluster VIPs, as you can see in your 'cphaprob -a if' output, but they don't get CCP heartbeats. After all, the infrastructure between the firewalls on all of those interfaces is all but guaranteed to be the same, so more CCP would just waste more of the interface's time slots. Imagine the overhead of sending heartbeats on each of 500 VLAN IDs on a given interface.

Re: VLAN subinterface not participating in HA

Quentin_Antrim — Fri, 13 Aug 2021 18:25:23 GMT

Okay, thanks. This makes total sense now. I did see a discussion on this elsewhere on here, but I didn't understand that was applying to me in this case. Appreciate the explanation.

Re: VLAN subinterface not participating in HA

Henrik_Noerr1 — Sun, 15 Aug 2021 12:47:28 GMT

I appreciate the low/high vlan heartbeat design - But if you are in a company like hours, we see from time to time a vlan is missing in our infrastructure, so 4 months later, the cluster does a failover and all traffic is blackholed.

Just something to be aware of. The CCP heartbeat behaviour can be changed if you wish.

Regards,

Henrik