topic ClusterXL Alert (!) in Firewall and Security Management

ClusterXL Alert (!)

Matlu — Mon, 08 Jan 2024 18:57:46 GMT

Hello,

I have a ClusterXL R81.10 with an alert.

The problem is that according to the "cphaprob -a if" command, the interface Eth1.19 ... is up, however, I still see the Cluster "alerted" when I query with the "cphaprob state", I see the member 2 with the symbol !

The fact of having the Cluster alerted, gives me the impression, that it is causing that from the SmartConsole, I see the alert related to a problem by the "AntiBot", but checking the AntiBot, I observe that everything is fine.

The GW has Internet connectivity and DNS resolution.

Is there a way to correct this?

Re: ClusterXL Alert (!)

genisis__ — Mon, 08 Jan 2024 19:02:09 GMT

Can you check your trunking to ensure L2 vlans are seen by both sides. Also provide the output from SG1.

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 19:03:11 GMT

Hey bro,

Have you tried cphastop; cphastart on the cluster member with the issue?

Best,

Andy

Re: ClusterXL Alert (!)

PhoneBoy — Mon, 08 Jan 2024 19:03:51 GMT

Did you address the two problems mentioned here?
Neither of these issues are with Anti-Bot.

Last member state change event:
   Event Code:                 CLUS-110305
   State change:               ACTIVE -> ACTIVE(!)
   Reason for state change:    Interface eth1.19 is down (Cluster Control Protocol packets are not received)
   Event time:                 Mon Dec 18 16:34:17 2023

Last cluster failover event:
   Transition to new ACTIVE:   Member 1 -> Member 2
   Reason:                     Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
   Event time:                 Thu Dec 14 11:29:25 2023

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 19:09:05 GMT

Those things Phoneboy mentioned are 100% relevant, for sure, but just wondering, as they show mid December date, was it fixed since then?

Please verify by running below

cphaprob -a if

cphaorrob -l list

Andy

Re: ClusterXL Alert (!)

Matlu — Mon, 08 Jan 2024 19:47:00 GMT

Hello,

I provide the output of SG1 and SG2.

I suspect that by having this "alert" in the Cluster (!), it may be causing the alert related to my AntiBot.

I have done basic tests, such as making sure that there is internet connectivity from the 2 GWs and that both resolve DNS, and everything is fine.

The problem is that from the SmartConsole, I have the alert both at ClusterXL and AntiBot level.

I think, that both problems are related.

I have applied the validation command "cpstat antimalware -f update_status" on the member that is "ACTIVE(!)" and I get the following result.

Attached is the result of several commands applied on both GWs.

Thanks for your comments.

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 19:52:07 GMT

Can you send cphaprob -a if of cpfw02?

Andy

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 19:55:30 GMT

Nm, got it. Okay, so on fw01, shows required interfaces 5 and other one shows 6, so something is not matching. Can you confirm topology is correct as far as cluster config for those interfaces?

Andy

Re: ClusterXL Alert (!)

Matlu — Mon, 08 Jan 2024 20:31:08 GMT

I'm observing the difference.

Indeed, I see that my SG2, has 6 "Required Interfaces" and the SG1, only 5.

---------------------------------------------------------------------

[Expert@SG2:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 6
Required secured interfaces: 1

[Expert@SG1:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 5
Required secured interfaces: 1

---------------------------------------------------------------------

These values must be identical in both members, right?

How can I fix this error?
Because according to my client, there should be 6 "Required Interfaces", not 5.

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 20:35:50 GMT

If they dont match, cluster will never work properly. So, have them check smart console topology and observe those 6 interfaces to confirm topology is indeed set as cluster for them.

I attached example from my lab

Andy

Re: ClusterXL Alert (!)

Matlu — Mon, 08 Jan 2024 20:54:25 GMT

It validates it.

Indeed, there should only be 5 Required Interfaces (I made a mistake in the # I said in the previous post).

The interfaces are in the SmartConsole topology, under "type -> Cluster" except for the Sync interface, which is under "type -> Sync".

It occurs to me then, that from the SmartConsole I should give a "Get Interfaces Without Topology", to "refresh" maybe the console, and mitigate the ClusterXL alert?

Re: ClusterXL Alert (!)

the_rock — Mon, 08 Jan 2024 20:55:42 GMT

As long as you are positive its correct, yes, do that and install the policy.

Andy