https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153820#M25888 <P>Thank you. When browsing the SKs and forum, I didn't stumble upon this. I verified and most of the 3 settings were rejected. I have reconfigured the sync interface with a port group that has these settings enabled. Immediately, the interfaces came up, the cluster formed and I have a working active/standby setup on 80.30. I was hoping it was not CP related.&nbsp;<BR /><BR />That was fast! Thank you! Saves me at least some hours.</P><P>&nbsp;</P> Tue, 26 Jul 2022 08:07:18 GMT woee 2022-07-26T08:07:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153814#M25884 <P>Hello,</P><P>I have set up a HA cluster (2 gw + 1 mgmt) running 81.10 and everything is working fine. This is running on an ESXi server. When I set up the same cluster but in version 80.30, the sync interface never comes up. The HA cluster actually runs in split brain, as they cannot communicate since the sync interface never comes up. I&nbsp;have tested different configuration settings, but the ClusterXL is always failing to be established.</P><P>- I have a /30 subnet on the sync interface, making it a unique sync network (and it is the lowest vlan).<BR />- On Gaia all interfaces are up, I can ping between them just fine to any interface, also the sync interface.<BR /><SPAN>- Access policy contains just 1 rule to allow anything.<BR />- I have the all-in-one evaluation license on all servers.<BR /></SPAN><SPAN>- In the logs I cannot see anything but the fact that the sync interface is down on both sides.<BR /></SPAN><SPAN>- Via cpconfig I removed each member (option 6) and joined again after reboot.<BR />- I recreated the sic trust, changed every possible setting for anti-spoofing.<BR /></SPAN><SPAN>- I removed the cluster object and recreated it again, no effect.<BR /></SPAN><SPAN>- I used vmxnet3 and E1000 interfaces on the virtual machines.<BR />- I used different subnets and IP addresses, but same result.<BR />- Changed CCP mode to broadcast, unicast, auto, all same result (now it is again auto/unicast).<BR /></SPAN><SPAN>- ClusterXL is installed on the gateways.<BR /></SPAN><SPAN>- I used the wizard to create the cluster.<BR />- I reinstalled the servers to be sure but the same result is noticed.</SPAN></P><P>The only way to get the interfaces in an UP state, is when I set the first mgmt interface to cluster+sync. When I do this the interfaces come up (sometimes), but there is still no traffic between them to establish a proper HA cluster.</P><P>I am new to Checkpoint and cannot find any other info to troubleshoot further. I've taken a look at the log files, but cannot find a log file about the sync interface and the HA mechanism (not in fwd.elg or messages or any other file). Is there a log file where you can see the servers trying to establish the cluster or why the sync interfaces don't come up for HA? These interfaces are up and working, they just don't do HA.</P><P>Is there something obvious I am missing on the 80.30 that is different from the 81.10?</P><P>Thank you!<BR />Wouter</P> Tue, 26 Jul 2022 07:00:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153814#M25884 woee 2022-07-26T07:00:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153815#M25885 <P>Double check that your clusterID on R80.30 is set to the same number on both cluster members.&nbsp;</P> Tue, 26 Jul 2022 07:18:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153815#M25885 _Val_ 2022-07-26T07:18:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153816#M25886 <P>R80.40 and above is less strict on the requirements...</P> <P>Do you have all the following in place:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101214" target="_self">sk101214</A>&nbsp;</P> Tue, 26 Jul 2022 07:48:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153816#M25886 Chris_Atkinson 2022-07-26T07:48:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153819#M25887 <P>Thanks, great pointing out the clusterid, makes sense if there is a mismatch 2 different clusters will be formed. I don't know how to get this id. Do you know an easy way to verify this on 80.30?</P><P>[Expert@FW1:0]# cphaconf cluster_id get<BR />cphaconf cluster_id set\get is not supported in this version.<BR />For more details, please refer to sk25977.</P> Tue, 26 Jul 2022 08:05:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153819#M25887 woee 2022-07-26T08:05:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153820#M25888 <P>Thank you. When browsing the SKs and forum, I didn't stumble upon this. I verified and most of the 3 settings were rejected. I have reconfigured the sync interface with a port group that has these settings enabled. Immediately, the interfaces came up, the cluster formed and I have a working active/standby setup on 80.30. I was hoping it was not CP related.&nbsp;<BR /><BR />That was fast! Thank you! Saves me at least some hours.</P><P>&nbsp;</P> Tue, 26 Jul 2022 08:07:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153820#M25888 woee 2022-07-26T08:07:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153824#M25889 <P>from clish:&nbsp;</P> <P><CODE class="monospace">show cluster mmagic</CODE></P> Tue, 26 Jul 2022 08:29:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153824#M25889 _Val_ 2022-07-26T08:29:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153825#M25890 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/78320">@woee</a>&nbsp;great to hear. you can ignore ClusterID then <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 Jul 2022 08:29:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153825#M25890 _Val_ 2022-07-26T08:29:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153826#M25891 <P>So what is the clusterID in there?</P><P>&nbsp;</P><P><EM>FW1&gt; show cluster mmagic</EM></P><P><EM>Configuration mode: Automatic</EM><BR /><EM>Configuration phase: Stable</EM></P><P><EM>MAC magic: 1</EM><BR /><EM>MAC forward magic: 254</EM></P><P><EM>Used MAC magic values: None.</EM></P> Tue, 26 Jul 2022 08:31:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153826#M25891 woee 2022-07-26T08:31:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153827#M25892 <P>Yes, but now I need to know. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 Jul 2022 08:33:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sync-interface-on-80-30-never-comes-up/m-p/153827#M25892 woee 2022-07-26T08:33:28Z