topic Re: 1600 Cluster sync issues in Spark Firewall (SMB)

1600 Cluster sync issues

ABosinceanu — Tue, 21 Jun 2022 14:00:35 GMT

Hi All,

We have a newly delivered(May 2022) 2x1600 Spark R80.20.35 appliances that have been configured as a cluster.

My colleague that did the configuration is long time on Check Point and I have no doubt that the configuration was done as usual - to work :).

After the configuration was done, we observed that the cluster members do not sync.

Have anyone encountered that recently?

If I should post more info about the issue, please let me know and I will anonymize mentioned configs and I will post it here - but I belive that this is not related to configs or ISP.

Best wishes,

Andrei

Re: 1600 Cluster sync issues

Sorin_Gogean — Tue, 21 Jun 2022 14:19:31 GMT

hey,

we need more details on what/how is configured, as if they don't sync then, do they report smth wrong in SmartConsole ?

(as I've seen they support ClusterXL)

Usually the 15K series I use have a SYNC interface that you set it as synchronization and is used specifically for that, but on 1600 I don't see that, so most likely you define some of the LAN ports to be used for sync.

Ty,

PS: from here

Configuring High Availability

In the Device > High Availability page you can create a cluster of two appliances for high availability.

Note - You cannot create a cluster when you have a switch or bridge defined in your network settings on the appliance. If necessary, change network settings in the Device > Local Network page.

After you define a cluster, you can select to Enable or Disable the cluster.

The page shows the configured interfaces for monitoring or high availability enabled in a table, where you can edit them.

Interface options in cluster mode:

High Availability - Two physical interfaces in 2 cluster members act as a single interface toward the network, using a single virtual IP address.

Note - In this cluster solution, each interface has a local IP address in addition to the shared single virtual IP address.
Sync - Two physical interfaces must be defined as Sync interfaces and connected between the members to allow proper failover as needed. The default is to use LAN2/Sync physical port.
Non HA (also called private) - The physical interface in this member does not participate in High Availability functions.
Monitored (also called private monitored) - The physical interface in this member is not coupled with another interface on the other member as in High Availability interface mode. The interface's status is still monitored, and if a problem occurs the member will fail over to the second one.

Re: 1600 Cluster sync issues

G_W_Albrecht — Tue, 21 Jun 2022 14:33:26 GMT

1600 SMB appliances HA cluster are much different to GAiA clusters - you only configure the active node in detail, and after selecting the second node in FTW as standby HA node, all config will be synchronized from active node. You did not write about it, but i assume you have a locally managed SMB cluster, so this applies: sk121096: How to configure a cluster between locally managed SMB appliances

Re: 1600 Cluster sync issues

Chris_Atkinson — Tue, 21 Jun 2022 14:36:54 GMT

Depending on the deployment scenario there is R80.20.40 available now with some clustering enhancements.

Re: 1600 Cluster sync issues

G_W_Albrecht — Tue, 21 Jun 2022 14:45:39 GMT

You cite from Locally Managed SMBs R80.20.20 manual but ask if they report smth wrong in SmartConsole - we should better know the deployment before guessing...

Concerning the Sync Port: Both 1600 + 1800 have port 2 named as sync, 1600 with 1GbE and 1800 with 2,5 GbE.

Re: 1600 Cluster sync issues

G_W_Albrecht — Wed, 22 Jun 2022 07:24:01 GMT

I would suggest to upgrade to R80.20.40 asap !

Re: 1600 Cluster sync issues

G_W_Albrecht — Wed, 22 Jun 2022 14:31:36 GMT

Centrally or locally managed SMBs ?

Re: 1600 Cluster sync issues

ABosinceanu — Fri, 24 Jun 2022 12:16:23 GMT

Locally managed.

Update:

1. We performed upgrade to R80.20.40 and the issue persisted.

2. We went back to R80.20.35 and recreated the cluster from scratch + adding specific policies to allow traffic between cluster members and the sync issue was solved. That specific policies where there from the first time, so that was not the issue.

I have no clue what was that. The procedure of setup was the same in both Cluster setup configurations...same order for steps.

Re: 1600 Cluster sync issues

G_W_Albrecht — Mon, 27 Jun 2022 11:41:34 GMT

As long as you do follow sk121096How to configure a cluster between locally managed SMB appliances sync should work. Afaik specific policies to allow traffic between cluster members are only needed in Strict Mode.