topic Re: ClusterXL failover question in Firewall and Security Management

ClusterXL failover question

the_rock — Mon, 21 Aug 2023 16:34:56 GMT

Hey guys,

Im hoping someone can confirm this for me 100%. Customer is using clusterXL active-standby method and last few times, we had instance where if we add new vlan either on active or standby member, it would always cause a failover.

Now, that sort of makes sense possibly in their case, as kernel parameter fwha_monitor_all_vlan is set to 1 and they already have 3 vlans configured. At least thats my logic and TAC seems to agree with it, so we will disable it next window and test.

But, here is something I find odd. My colleague set up PBR on current active and that caused a failover as well. Is that normal?? I cant see how that could happen, unless its obviously tied to BGP, which is configured, since it was complaining that routed pnote was the issue.

I see below sk, but its more what to check when failover happens:

https://support.checkpoint.com/results/sk/sk62570

My question is this...is there an official sk or document STATING what changes would indeed cause failover?

Thanks as always.

Andy

Re: ClusterXL failover question

JozkoMrkvicka — Mon, 21 Aug 2023 18:48:53 GMT

Was that newly added VLAN the lowest or highest VLAN-ID on specific interface? By default, CP is monitoring only lowest and highest VLANs. If VLAN is not correctly tagged/created/stretched on the switches, it might cause failover. The monitoring of highest/lowest VLANs is done over CCP (udp/8116).

Re: ClusterXL failover question

the_rock — Mon, 21 Aug 2023 18:52:20 GMT

Hey @JozkoMrkvicka

Thanks for the response. I believe it was neither, somewhere in the middle...lowest was 20, highest 500 I think and this one was 208. But, regardless, I think thats due to kernel parameter I mentioned, but now, question is, if anyone can confirm 100% or if there is an official sk or statement what activities would actually cause failover? Because to me, makes no sense that during one window, when we added new vlan on STANDBY member, even that causes failover??!! I mean, how?

And then, when we showed that to TAC person, I think guy was even more confused than we were LOL

Re: ClusterXL failover question

Bob_Zimmerman — Wed, 23 Aug 2023 15:16:25 GMT

All routing configuration changes are handled by routed. I could definitely see changes to PBR config causing failovers. I suspect a better question would be what interface and/or routing changes would not cause failovers.

Re: ClusterXL failover question

the_rock — Wed, 23 Aug 2023 15:26:58 GMT

Ok, thats fair, though when my colleague and I did PBR changes the 2nd time, failover did NOT happen.

So, here is my question then...what changes would NOT cause a failover? : - )

Andy