Checkpoint CloudGuard HA clustering VIP issue in OCI
Need some direction and troubleshooting guidance on Cloudguard HA clustering in OCI. we have deployed 2 cloudguard instances in same OCI region in HA cluster. the configs are fine which i got checked from TAC as well as they are are assisting me in this issue. the problem arises when we do the failover to secondary instance and the virtaul IPs dont move to secondary firewall. When primary is active , everything works fine both N-S and E-W traffic. in cloudguard we have to assign secondary IPs to both trust and untrust Vnics of the primary firewall.
Just wondering if anybody else has experienced this same issue in OCI , Azure or AWS ? we have followed the recommended architecture from official checkpoint documents to configure this solution. we have done dynamic grouping for IAM policies as well and went through some Sk articles as well which TAC shared to implment but no luck so far.
Any leads would be highly appreciated. I also have TAC case opened for this.
i am using R81.20 with latest hotfix take 26.
What sort of permissions do you think causing this issue? We created dynamic group and assigned highest level of IAM policy as per documentation for the cluster. Thats all they mentioned. is there something else which we are not aware of?
below is the link:
Feel free to send me an email at firstname.lastname@example.org
In the meantime, one thing to check real quick is please ensure both cluster members NTP is configured and time is in sync. API calls will not work if system time is not within 5 minutes of actual.