Unfortunately failover is around 2 minutes.

ClusterXL fails over in seconds but the API calls to Azure to change routes and Cluster IP take their time. UDRs change pretty quickly in fairness but the disassociation of the cluster IP from the primary node and association to secondary node is the main delay

I have observed that even after 30-40 mins the disassociation of the cluster IP from the primary node and association to secondary node is not happening post Fail-Over.

Th Cluster Testing Script $FWDIR/scripts/azure_ha_test.py, Result in All tests were successful!

Everything as in:-

1. DNS

2. login.windows.net:443

3. Interfaces

4. Credentials

5. Route Tables

6. Load Balancers

7. Azure interface configuration

Any Suggestions??

What Checkpoint version are you running? Have you run the test script on both nodes? I've only had failover/failback issues on R77.30 Azure based clusters, not had enough time with R80.10 yet. Typically this was because I had modified the inbound NAT rules on the Azure load balancer to include additional services such as SNMP which bizarrely seem to cause an issue or another Azure admin had restricted Public IPs at the subscription level so I couldn't associate the public IP to the secondary node.

You can manually associate the IP once it has disassociated. Not ideal but if you've got a 30-40 min outage and need to restore service it is possible.

Checkpoint R80.10.

The Cluster Testing Script $FWDIR/scripts/azure_ha_test.py, Result in All tests were successful! on both nodes.

The Inbound NAT Rules are not getting updated and the disassociation of the cluster IP from the primary node and association to secondary node is not happening post Fail-Over.

Have done some troubleshooting ass follows:-

1. Removed all LB Inbound NAT Rules and did fail-over.

Result:- Success !! UDR's getting updated and points at M2 as next hop. Cluster VIP gets diassociate from M1 and Associates to M2 automatically.

2. Added 1 Inbound NAT Rule on LB. and did fail-over.

Result:- Failure !!, UDR's getting updated and points at M2 as next hop. 

Cluster VIP does not move to M2

On Azure we can see activity log:-

• Operation name
  Write NetworkInterfaces FAILED
• Time stamp
  Fri Apr 27 2018 13:08:43 GMT+0530 (India Standard Time)
• Event initiated by
  check-point-cluster-ha-failover
• Error code
  InvalidResourceReference
• Message
  Resource /subscriptions/d3e8c785-de15-4ba5-8afb-953e277061a2/resourceGroups/CPClust_RG/providers/Microsoft.Network/networkInterfaces/CPClust1-eth0/ipConfigurations/cluster-vip referenced by resource /subscriptions/d3e8c785-de15-4ba5-8afb-953e277061a2/resourceGroups/CPClust_RG/providers/Microsoft.Network/virtualNetworks/VNET01/subnets/Frontend was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.

  ANY1 has encountered such error. I'm facing the same in 2 deployments.

There is a new sk125435 for this problem. It says that a new template will be published in a week or so.

There is a workaround that can be done today with a fixed azure_had.py that can be requested from TAC.

Arnfinn

Thanks Arnfinn Strand‌

Checking with the TAC. But there's a little delay from them.

Do you have any source of the fixed azure_ha.py script ?

Got the fixed Script. Due to changes in the API permissions on Azure, new script need to be loaded on both the Cluster Members.

Also the Inbound NAT rules need to be pointed at Active Member's private IP and not the Cluster VIP.

Following the above, 2 NAT rules need to be implemented in Dashboard which receive the traffic on Member Ip's of both Cluster Member (when either of them are active) and not the Cluster VIP.

Only source I know is TAC. Sorry