topic Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode in Firewall and Security Management

How to manually force split brain on VSes with 2 VSXes on VSLS mode

KostasGR — Thu, 02 Jun 2022 19:06:18 GMT

Hello

Is any way to manually force split brain on 2 VSes created on 2 VSXes on VSLS mode?

I want to achieve 2 VSes active on VSXA and the same 2 VSes active on VSXB in a lab environment.

BR,
Kostas

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

genisis__ — Thu, 02 Jun 2022 19:32:53 GMT

I'm pretty sure the answer is no.

You can certainly load share between different VSX Nodes but you can't have any one VS active on two different nodes, at least too my knowledge.

If you want true resource balancing then perhaps Maestro may be a better option.

Another idea, would be to have two different VS's using the same policy file but perhaps an external load balancing to share the load (a bit over kill, but could also be an option with some design considerations).

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Vladimir — Thu, 02 Jun 2022 19:53:22 GMT

I do not think that you can selectively achieve that, but to have all VSes running in split brain, move the networks of one of the unit to the separate vSwitches, (loose the sync) and reboot the unit.

In theory, it'll come up looking for other cluster member and, not finding one, run VSes to Active mode.

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Bob_Zimmerman — Thu, 02 Jun 2022 20:54:09 GMT

If there are other VSs which you don't want to try to become active on both members, this isn't possible. Sync and cluster monitoring on VSX is a whole-box thing.

If you're okay with all VSs trying to become active on two or more members, you just have to prevent those members from seeing each other.

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

KostasGR — Tue, 07 Jun 2022 08:14:29 GMT

Hello all

Finally i have managed to cause split brain by preventing those members from seeing each other.

Apart from preventing VSes to see each other through their interfaces (inside,outside,DMZ etc) I had to disable SYNC connectivity and also shutdown the management interface of the 2 VSXes. By disabling the management interfaces of the 2 VSXes i had no logging towards the log server (management server),

BR,

Kostas

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

genisis__ — Tue, 07 Jun 2022 08:18:01 GMT

What is achieved by this outside a lab? In a production environment you could not really do the above and most certainly Checkpoint would not support it.

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

KostasGR — Tue, 07 Jun 2022 09:46:02 GMT

A DR scenario that cuts layer 2 connectivity between MAIN DC and REMOTE DC for example. Why Check point wouldn't support it?

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

genisis__ — Tue, 07 Jun 2022 09:54:48 GMT

I don't believe this is a supported scenario, but Checkpoint would be better to respond.

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Kaspars_Zibarts — Tue, 07 Jun 2022 11:51:41 GMT

Technically if VSX nodes lose L2 completely then both will become Active as they will assume that other node is dead based on clustering protocol. So your two DCs should continue to work independently. Obviously you won't be able to manage them i.e push rules our routing. But I suggest you test in the lab

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Bob_Zimmerman — Tue, 07 Jun 2022 12:21:38 GMT

That depends. Other problems such as monitored interfaces which don't have anything available to ping (e.g, a new highest VLAN or lowest VLAN which doesn't have any endpoints on it yet) can cause both members to refuse to become active because they each think they are the device with the failure.

Spanning layer 2 between datacenters is a really bad idea.

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Kaspars_Zibarts — Mon, 24 Jul 2023 07:18:47 GMT

Hehe. There are lots of bad ideas @Bob_Zimmerman but in reality you are forced to accept legacy solutions that take years to move on from 🙂

Re: How to manually force split brain on VSes with 2 VSXes on VSLS mode

Bob_Zimmerman — Mon, 24 Jul 2023 13:36:34 GMT

I've personally seen more people trying to span layer 2 between datacenters in each of the last five years than I had even heard about in the ten years before. It's a recent phenomenon. People need to be told it's a terrible idea which will lead to awful problems.