https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/85835#M9147 <P>Hi ,</P><P>I have 2 physical vsx box and 1 box (VSX2) is down and waiting for RMA . So all VSs are ative in box 1 (VSX1) .</P><P>I have one issue there are 2 source servers (a.b.c.d = Server 1 and e.f.g.h = Server 2) and&nbsp; same one&nbsp; destination = i.j.k.l with port = 443 . Here one source server (a.b.c.d) when trying to access destination = i.j.k.l with port 1636 (unsuccess) and one source server =</P><P>e.f.g.h when trying to access dst : i.j.k.l with port 1636 (success) . We are getting the logs in firewall from both the source servers&nbsp;</P><P>from same rule in "Logs and monitor" but when i run tcpdump for unsuccess source server (a.b.c.d) to dst : i.j.k.l with icmp</P><P>in box 1 (VSX1) we are getting only echo reply packet from i.j.k.l &gt; a.b.c.d .</P><P>The only difference is that when we run traceroute from source = a.b.c.d(unsuccess) to destination = i.j.k.l 1st hop is switch (different box - Nexus SW1</P><P>after that it is dropping which next hop is firewall interface cluster ip )&nbsp; and when we run traceroute from source = e.f.g.h(success) to destination = i.j.k.l (it covers all path 1st hop is switch different box - Nexxus SW2 from switch next hop is same firewall interface cluster ip).</P><P>1. Checked the route from the source servers to dst : i.j.k.l point to same next hop .</P><P>2. Check the reverse route also from i.j.k.l to (a.b.c.d) &amp; (e.f.g.h) both are same .</P><P>3. Checked the route from the switch boxes (SW1 and SW2) point to same next hop ip i.e (cluster ip of interface of checkpoint fw)</P><P>4. Destination server is connected interface.</P><P>5. Source servers are able to pingable from firewalls particular VS&nbsp;</P><P>6. Source server (a.b.c.d) is not able to ping destination (i.j.k.l) but source server (e.f.g.h ) is able to ping dst : 1.j.k.l .</P><P>7. Same rule is present in firewall for both the source servers to dst with icmp and 1636 port.</P><P>8. 2nd box of Firewall got down just nearly the issue started .</P><P>9. Some time when run debug command of kernel found "instance is fully utilized " and box cpu is reaching like fwk6 - 88-90%</P><P>&nbsp; and fwk5 (70% = all communication is going through this VS 5).</P><P>&nbsp;</P><P>Does anyone have any idea pls suggest !</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 May 2020 07:33:23 GMT vikupoi_123 2020-05-20T07:33:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/85835#M9147 <P>Hi ,</P><P>I have 2 physical vsx box and 1 box (VSX2) is down and waiting for RMA . So all VSs are ative in box 1 (VSX1) .</P><P>I have one issue there are 2 source servers (a.b.c.d = Server 1 and e.f.g.h = Server 2) and&nbsp; same one&nbsp; destination = i.j.k.l with port = 443 . Here one source server (a.b.c.d) when trying to access destination = i.j.k.l with port 1636 (unsuccess) and one source server =</P><P>e.f.g.h when trying to access dst : i.j.k.l with port 1636 (success) . We are getting the logs in firewall from both the source servers&nbsp;</P><P>from same rule in "Logs and monitor" but when i run tcpdump for unsuccess source server (a.b.c.d) to dst : i.j.k.l with icmp</P><P>in box 1 (VSX1) we are getting only echo reply packet from i.j.k.l &gt; a.b.c.d .</P><P>The only difference is that when we run traceroute from source = a.b.c.d(unsuccess) to destination = i.j.k.l 1st hop is switch (different box - Nexus SW1</P><P>after that it is dropping which next hop is firewall interface cluster ip )&nbsp; and when we run traceroute from source = e.f.g.h(success) to destination = i.j.k.l (it covers all path 1st hop is switch different box - Nexxus SW2 from switch next hop is same firewall interface cluster ip).</P><P>1. Checked the route from the source servers to dst : i.j.k.l point to same next hop .</P><P>2. Check the reverse route also from i.j.k.l to (a.b.c.d) &amp; (e.f.g.h) both are same .</P><P>3. Checked the route from the switch boxes (SW1 and SW2) point to same next hop ip i.e (cluster ip of interface of checkpoint fw)</P><P>4. Destination server is connected interface.</P><P>5. Source servers are able to pingable from firewalls particular VS&nbsp;</P><P>6. Source server (a.b.c.d) is not able to ping destination (i.j.k.l) but source server (e.f.g.h ) is able to ping dst : 1.j.k.l .</P><P>7. Same rule is present in firewall for both the source servers to dst with icmp and 1636 port.</P><P>8. 2nd box of Firewall got down just nearly the issue started .</P><P>9. Some time when run debug command of kernel found "instance is fully utilized " and box cpu is reaching like fwk6 - 88-90%</P><P>&nbsp; and fwk5 (70% = all communication is going through this VS 5).</P><P>&nbsp;</P><P>Does anyone have any idea pls suggest !</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 May 2020 07:33:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/85835#M9147 vikupoi_123 2020-05-20T07:33:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/85855#M9148 <P>Contact TAC - VSX is far from easily configurable, and VSLS (i assume you are using) even more...</P> Wed, 20 May 2020 09:26:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/85855#M9148 G_W_Albrecht 2020-05-20T09:26:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/86035#M9149 Hi ,<BR />Problem has been solved the issue is occuring due to duplicate ips configured in 2 VMs after giving free ip in one VM issue resolved .<BR />Thanks ! Sorry for incovenience . Fri, 22 May 2020 06:21:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Suspecting-cluster-issue/m-p/86035#M9149 vikupoi_123 2020-05-22T06:21:38Z