topic Re: VRRP not enabled: R81.20 ClusterXL with VRRP in Firewall and Security Management

VRRP not enabled: R81.20 ClusterXL with VRRP

saitoh — Wed, 12 Feb 2025 12:22:29 GMT

Hi all,

I am trying to test ClusterXL with VRRP as High Availability method.

I read some documents which says all I have to do in order to set it up is just to make ClusterXL cluster in a normal way, except for High Availability mode; VRRP.

I have already had one of cluster with ClusterXL in my lab, so I changed HA mode into VRRP just after I configured Advanced VRRP in GAiA Portal.

One of my coworkers told me that I can make sure HA mode by looking at the output of "cphaprob state".

I can clearly confirm the output changes before and after the configuration above.

Yet, #show vrrp returns me "VRRP not enabled".

Is this expected output in this occasion?

Both GW are managed by one SMS.

R81.20 without any JHF.

I did the following, which I believe it is how you configure VRRP in GAiA Portal:

1. In Advanced VRRP section, check Monitor Firewall State

2. Add Virtual Routers as follows

VRID: 1 Interface: eth0 VRRP Mode: VRRP Priority: 100 Hello Interval: 1 Preempt: Yes

Auto-deactivation: No Backup Addresses: None Monitored Interfaces: eth1 (delta: 10)

Priority of vRouter in standby VM is set to 99.

Any comments would be more than welcome!

Saitoh

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

Lesley — Wed, 12 Feb 2025 20:04:38 GMT

What steps you have followed?

This one?

https://support.checkpoint.com/results/sk/sk92061

And why VRRP if I may ask? See for limitations

https://support.checkpoint.com/results/sk/sk105170

All clusters I manage are ClusterXL and soon will be ElasticXL

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

the_rock — Wed, 12 Feb 2025 20:41:06 GMT

Im with @Lesley on this one, those SKs are definitely relevantt in your case.

Andy

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

saitoh — Thu, 13 Feb 2025 05:59:08 GMT

Dear @Lesley ,

Thanks for your comments.

I followed the steps below.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/VRRP-Advanced.htm

One thing, I did not add backup address because I thought this is optional.

I would like to try ClusterXL over VRRP. That is why.

Yet, I still have confusing idea on this.

I thought they are the methods for making network redundant, one is universal and the other CP-exclusive, and

do not understand why you want to use them both...

Saitoh

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

saitoh — Thu, 13 Feb 2025 06:22:45 GMT

Dear @the_rock ,

Appreciated for your comment.

I thought I configured VRRP rightly, judging from the fact below:

When only ClusterXL enabled, #cphaprob state returns the following.

Cluster Mode: New High Availability (Primary Up)
with IGMP Membership

Number     Unique Address  Assigned Load   State

1 (local)  192.168.0.1     100%            Active
2          192.168.0.2     0%              Standby

Then I changed HA mode to VRRP with Advanced VRRP settings done in GAiA Portal, the output changes.

Cluster Mode: Sync only (OPSEC) with IGMP Membership

Number     Unique Address  Firewall State (*)

1 (local)  192.168.0.1     Active
2          192.168.0.2     Active

(*) FW-1 monitors only the sync operation and the security policy
    Use OPSEC's monitoring tool to get the cluster status

Considering the outputs, I thought it is safe to say VRRP is enabled.

However #show vrrp says VRRP not enabled.

This is not very persuasive...

Saitoh

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

saitoh — Thu, 13 Feb 2025 06:30:37 GMT

I took routed trace on questioning cluster, and then I noticed they actually were communicating with each other, yet some necessary config might be missing.

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

saitoh — Thu, 13 Feb 2025 08:32:10 GMT

I solved this by adding backup address as follows.

ClusterXL VIP for eth0: 10.31.10.113

vRouter 1 backup address: 10.31.10.113

Then #show vrrp returns VRRP state!

What is this "backup address" ? no idea what this address is used in VRRP function.

Saitoh

Re: VRRP not enabled: R81.20 ClusterXL with VRRP

the_rock — Thu, 13 Feb 2025 12:30:31 GMT

I could be mistaken, but I believe its similar to VIP in clusterXL.