topic Failover behavior in VSX environment in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Failover-behavior-in-VSX-environment/m-p/73519#M9370 <P>Dear CheckMates Community,</P><P>coud someone of you explain how failover works in a VSX environment. As far as I know, in a non VSX default setup the first and the last VLAN on a trunk interface will be monitored. If on of this VLAN can't process CCP pakets a pnote will be genarated an failover to the other (standby) cluster member.</P><P>But how does it works in VSX?</P><P><U><STRONG>Please check below some outputs:</STRONG></U></P><P>&nbsp;</P><P><FONT color="#FF0000"><STRONG>cphaprob -a if</STRONG></FONT></P><P>vsid 5:<BR />------<BR />CCP mode: Manual (Broadcast)<BR />Required interfaces: 4<BR />Required secured interfaces: 1</P><P>Sync UP sync(secured), broadcast<BR />wrp321 UP non sync(non secured), broadcast<BR />wrp320 UP non sync(non secured), broadcast<BR />bond3 UP non sync(non secured), broadcast, bond Load Sharing (bond3.1002)</P><P>Virtual cluster interfaces: 9</P><P>wrp321 x.x.x.x<BR />wrp320 192.168.x.1<BR />bond2.2506 192.168.23x.46<BR />bond2.1050 192.168.2x.164<BR />bond2.2503 192.168.23x.22<BR />bond3.1002 x.x.x.x<BR />bond2.2509 192.168.23x.70<BR />bond2.2505 192.168.23x.38<BR />bond2.2504 192.168.23x.30</P><P>&nbsp;</P><P><FONT color="#FF0000"><STRONG>cphaprob stat</STRONG></FONT></P><P>Cluster Mode: VSX High Availability (Active Up) with IGMP Membership</P><P>ID Unique Address Assigned Load State Name</P><P>1 192.168.x.25 0% STANDBY fw1<BR />2 (local) 192.168.x.26 100% ACTIVE fw2</P><P><BR />Active PNOTEs: None</P><P>Last member state change event:<BR />Event Code: CLUS-115704<BR />State change: STANDBY -&gt; ACTIVE<BR />Reason for state change: Member state has been changed due to issue in Virtual System 0<BR />Event time: Tue Jan 21 11:04:26 2020</P><P>&nbsp;</P><P>Thank you in advance.</P><P>BR</P><P>Patrick</P><P>&nbsp;</P> Tue, 28 Jan 2020 08:29:49 GMT Patrick150781 2020-01-28T08:29:49Z Failover behavior in VSX environment https://community.checkpoint.com/t5/Firewall-and-Security-Management/Failover-behavior-in-VSX-environment/m-p/73519#M9370 <P>Dear CheckMates Community,</P><P>coud someone of you explain how failover works in a VSX environment. As far as I know, in a non VSX default setup the first and the last VLAN on a trunk interface will be monitored. If on of this VLAN can't process CCP pakets a pnote will be genarated an failover to the other (standby) cluster member.</P><P>But how does it works in VSX?</P><P><U><STRONG>Please check below some outputs:</STRONG></U></P><P>&nbsp;</P><P><FONT color="#FF0000"><STRONG>cphaprob -a if</STRONG></FONT></P><P>vsid 5:<BR />------<BR />CCP mode: Manual (Broadcast)<BR />Required interfaces: 4<BR />Required secured interfaces: 1</P><P>Sync UP sync(secured), broadcast<BR />wrp321 UP non sync(non secured), broadcast<BR />wrp320 UP non sync(non secured), broadcast<BR />bond3 UP non sync(non secured), broadcast, bond Load Sharing (bond3.1002)</P><P>Virtual cluster interfaces: 9</P><P>wrp321 x.x.x.x<BR />wrp320 192.168.x.1<BR />bond2.2506 192.168.23x.46<BR />bond2.1050 192.168.2x.164<BR />bond2.2503 192.168.23x.22<BR />bond3.1002 x.x.x.x<BR />bond2.2509 192.168.23x.70<BR />bond2.2505 192.168.23x.38<BR />bond2.2504 192.168.23x.30</P><P>&nbsp;</P><P><FONT color="#FF0000"><STRONG>cphaprob stat</STRONG></FONT></P><P>Cluster Mode: VSX High Availability (Active Up) with IGMP Membership</P><P>ID Unique Address Assigned Load State Name</P><P>1 192.168.x.25 0% STANDBY fw1<BR />2 (local) 192.168.x.26 100% ACTIVE fw2</P><P><BR />Active PNOTEs: None</P><P>Last member state change event:<BR />Event Code: CLUS-115704<BR />State change: STANDBY -&gt; ACTIVE<BR />Reason for state change: Member state has been changed due to issue in Virtual System 0<BR />Event time: Tue Jan 21 11:04:26 2020</P><P>&nbsp;</P><P>Thank you in advance.</P><P>BR</P><P>Patrick</P><P>&nbsp;</P> Tue, 28 Jan 2020 08:29:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Failover-behavior-in-VSX-environment/m-p/73519#M9370 Patrick150781 2020-01-28T08:29:49Z Re: Failover behavior in VSX environment https://community.checkpoint.com/t5/Firewall-and-Security-Management/Failover-behavior-in-VSX-environment/m-p/73787#M9371 <P>Hi Patrick, I can see that you are running VSX in HA mode and not VSLS.</P> <P>If HA, the interface probing stays the same, cluster fails over with all VSs from one physical member to another. With VSLS, the failover happens on per VS basis, unless one of your machines is completely dead. All VLANs are probed on per VS basis.</P> <P>&nbsp;</P> <P>However, in your case I can also see that there was an issue on VS0, meaning on the physical entity. It does not seem to be an interface failure related to VLANs, as VS0 only operates MGMT IF and Sync IF.</P> Thu, 30 Jan 2020 16:57:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Failover-behavior-in-VSX-environment/m-p/73787#M9371 _Val_ 2020-01-30T16:57:05Z