topic Re: MDPS Separation breaks existing management communication in Firewall and Security Management

MDPS Separation breaks existing management communication

Thanux89 — Tue, 21 Jan 2025 01:45:07 GMT

Hi Team,

I have enabled MDPS separation following the sk138672 article in my LAB setup before deploying it in production.

Before enabling MDPS separation, I had a standard clusterXL setup with a default route pointed towards the management gateway and BGP routes towards the VLAN interfaces.

Below is the script I followed.

clish

set mdps interface Mgmt management on
set mdps interface Sync sync on
set mdps mgmt plane on
set mdps mgmt resource on
save config

set mdps environment mplane
set static-route default nexthop gateway address x.x.x.x on
save config
reboot

I have changed the 26000 devices, and it took a very long time to come UP with the firewalls after the reboot.

Once firewalls appeared, I disabled the management route from the "dplane" and only left the default route via mgmt.

After this separation, I lost access to the firewalls via management, and BGP communication on the "dplane" went entirely down.

Also, there is a loss of communication between the management server and the inability to retrieve or push any firewall policy via the management server.

I have tried resetting the SIC, but the communication is completely broken.

Does anyone have the same experience and overcome the situation?

Thanks

Re: MDPS Separation breaks existing management communication

PhoneBoy — Thu, 23 Jan 2025 13:09:46 GMT

What version/JHF?
Might need TAC to assist here.

Re: MDPS Separation breaks existing management communication

Thanux89 — Thu, 23 Jan 2025 23:41:54 GMT

Hi,

I am working on getting some assistance.

It's R81.20 Take 89

Regards,

Re: MDPS Separation breaks existing management communication

Thanux89 — Thu, 23 Jan 2025 23:47:36 GMT

During my observations, I have observed that after multiple reboots, the firewalls are responding to the management via SSH, and the GUI is not responding.

Also, when the firewall is rebooting, SecureXL does not come UP.

"SecureXL disabled, cannot use affinity commands"

I am unsure whether I need to create the cluster in the management server as the SIC is not forming with the existing cluster object.

I can switch between mplane and dplane, and I was having BGP peering before the conversation, and the BGP is showing down after the MDPS

Regards,

Re: MDPS Separation breaks existing management communication

PhoneBoy — Fri, 24 Jan 2025 00:25:37 GMT

I don't think MDPS turns off SecureXL, but something is clearly amiss (thus why I'm suggesting a TAC case).