topic Re: Maestro dual site, dual MHO - questions in Hyperscale Firewall (Maestro)

Maestro dual site, dual MHO - questions

Alex- — Tue, 25 Mar 2025 20:09:49 GMT

All systems R81.20 Take 98.

I'm looking at a Maestro setup configured as multi-site with direct connections between MHO (Sync-int, sync-ext) and dual MHO.

All connections are up and the MHO are configured as site 1, 2, id 1, id 2 per site.

Next, we have a VSX security group with Force SGM connected on the same ports on MHO1_1 and MHO1_2 on site 1, and MHO2_1 and MHO2_2 on site 2.

The SG is created and works.

According to the network integrator (outside my control and area of visibility), both sites have perfect replication in terms of L1/L2, since the SG work, this makes sense.

Site 1	Site 2
MHO1_1	MHO2_1
MHO1_2	MHO2_2
Force with uplink to each MHO	Force with uplink to each MHO

The administration guides were followed to create the security group, everything was done on 1_1 and the 2 sites appear in the MHO configuration.

We get an active/active system, VS0 created as singly VSX gateway with SG IP.

Now the issue are as follows:

On the 2nd site MHO, orchd/asg commands stall or don't produce output. Sometimes a command like "orchd stat" on the MHO or asg monitor will work then on another run in the same session will stall and hang.

SSH to MHO site 2 works but not HTTPS.

If we failover the SG to site 2, we get the same scenario with unreliable SSH output and policy install on VS0 fails with SSL errors in the policy installation output.

I don't have other experience with dual site so I can't compare. The network should be fine, so I'm wondering if there are extra steps or something I would have missed in the process which could make sense here.

As far as I know, we followed all administration guides and relevant SK.

Re: Maestro dual site, dual MHO - questions

emmap — Wed, 26 Mar 2025 02:22:56 GMT

Without being able to really understand the layer 1 and layer 2 setup it's hard to say, but it seems like there's something going wrong with the site_sync stuff. How're the MHOs directly connected between sites? Do you have a sufficiently anonymised diagram you can share?

Re: Maestro dual site, dual MHO - questions

AkosBakos — Wed, 26 Mar 2025 08:14:28 GMT

What were the steps of creating the secondary site?
asg stat -v shows the second site (MHO and SGMs)?
Layer4 distribution mode is enabled or disabled?

Re: Maestro dual site, dual MHO - questions

Alex- — Wed, 26 Mar 2025 08:49:18 GMT

@emmap Basically what is described in the multisite setup with direct connection: https://sc1.checkpoint.com/documents/Appliances/GSG_Maestro/EN/Topics/Connecting-Cables-for-Dual-Site-Direct-Connection.htm

Except one SGM per site. Network provider provides virtualised "dark fibre" and are adamant their configuration is fine.

At least it looks like, the MHO don't complain of not seeing each other.

@AkosBakos Followed the admin guide, L4 distribution is off.

-------------------------------------------------------------------------------- | VSX System Status - Maestro | -------------------------------------------------------------------------------- | Chassis Mode | Active Up | | Up time | 5 days, 19:39:31 hours | | SGMs | 2 / 2 | | Virtual Systems | 1 | | Version | R81.20 (Build Number 722) | -------------------------------------------------------------------------------- | VS ID: 0 VS Name: <removed> | -------------------------------------------------------------------------------- | SGM ID Chassis 1 Chassis 2 | | ACTIVE STANDBY | -------------------------------------------------------------------------------- | 1 ACTIVE ACTIVE | -------------------------------------------------------------------------------- | Chassis Parameters | -------------------------------------------------------------------------------- | Unit | Chassis 1 | Chassis 2 | Weight | -------------------------------------------------------------------------------- | SGMs | 1 / 1 | 1 / 1 | 6 | | Ports | | | | | Standard | 0 / 0 | 0 / 0 | 11 | | Bond | 0 / 0 | 0 / 0 | 11 | | Other | 0 / 0 | 0 / 0 | 6 | | Sensors | | | | | SSMs | 2 / 2 | 2 / 2 | 11 | | | | | | | Grade | 28 / 28 | 28 / 28 | - | -------------------------------------------------------------------------------- | Minimum grade gap for chassis failover: 11 | | Synchronization | | Sync to Active chassis: Enabled | | Sync to Standby chassis: Enabled | -------------------------------------------------------------------------------- | Chassis HA mode: Active Up | --------------------------------------------------------------------------------

Re: Maestro dual site, dual MHO - questions

AkosBakos — Wed, 26 Mar 2025 08:56:38 GMT

Hi @Alex-

Just for sure, the md5sum -s of the SGMs are the same?

show smo image md5sum

And the #lldpctl command shows the remote site on both site, right?

Re: Maestro dual site, dual MHO - questions

Alex- — Wed, 26 Mar 2025 09:11:30 GMT

Yes and yes. Still checking the network side of all of this, as the MHO on the second site were showing that behaviour even when no SG was configured.

Re: Maestro dual site, dual MHO - questions

AkosBakos — Wed, 26 Mar 2025 09:27:48 GMT

Hi @Alex-

Maybe you have already checked the settings according to https://support.checkpoint.com/results/sk/sk168092

The QinQ was configured correctly?

Connectivity between Orchestrators on different sites:

From MHO 1_1 ping MHO 2_1: ping 203.0.113.15

From MHO 1_2 ping MHO 2_2: ping 203.0.113.16

If there is no ping, examine VLAN IDs 3951 and 3952.

Connectivity between Orchestrators on the same site:

From MHO 1_1 ping MHO 1_2: ping 192.0.2.2

From MHO 2_1 ping MHO 2_2: ping 192.0.2.16

If there is no ping, examine the Internal Sync cable between Orchestrators on the same site.

Connectivity between Security Group Members (appliances):

From SGM 1_1 ping SGM 2_1 on the sync network: ping 192.0.2.15

If there is no ping, examine VLAN IDs 3600 and 3601.

Akos

Re: Maestro dual site, dual MHO - questions

Alex- — Wed, 26 Mar 2025 09:53:32 GMT

Yes these are all peachy. We're still investigation with the relevant parties.

Thanks for your feedback. 👍

Re: Maestro dual site, dual MHO - questions

Alex- — Wed, 26 Mar 2025 13:28:33 GMT

Problem fixed, MTU mismatch was found somewhere along the path by the network provider.

Thanks for chiming in. 😀

Re: Maestro dual site, dual MHO - questions

AkosBakos — Wed, 26 Mar 2025 14:17:24 GMT

May I ask you to share the "good" MTU number with us? 🙂

Re: Maestro dual site, dual MHO - questions

Alex- — Wed, 26 Mar 2025 14:26:02 GMT

The MHO have 9216 so they put 9300 on whatever equipment they have in this setup.