This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Akshayc
Explorer
‎2023-09-18 06:05 AM

Checkpoint CloudGuard HA clustering VIP issue in OCI

helo Peeps,

 

Need some direction and troubleshooting guidance on Cloudguard HA clustering in OCI. we have deployed 2 cloudguard instances in same OCI region in HA cluster. the configs are fine which i got checked from TAC as well as they are are assisting me in this issue. the problem arises when we do the failover to secondary instance and the virtaul IPs dont move to secondary firewall. When primary is active , everything works fine both N-S and E-W traffic. in cloudguard we have to assign secondary IPs to both trust and untrust Vnics of the primary firewall.

 

Just wondering if anybody else has experienced this same issue in OCI , Azure or AWS ? we have followed the recommended architecture from official checkpoint documents to configure this solution. we have done dynamic grouping for IAM policies as well and went through some Sk articles as well which TAC shared to implment but no luck so far.

 

Any leads would be highly appreciated. I also have TAC case opened for this.

 

Regards,

Akshay

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-09-18 07:29 AM

What images are you using?
Seems like some sort of permissions issue on the credentials assigned to the instance.

0 Kudos
Akshayc
Explorer
‎2023-09-18 05:22 PM
In response to PhoneBoy

i am using R81.20 with latest hotfix take 26.

What sort of permissions do you think causing this issue? We created dynamic group and assigned highest level of IAM policy as per documentation for the cluster. Thats all they mentioned. is there something else which we are not aware of?

below is the link:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Oracle_Cloud_G...

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2023-09-18 09:42 PM
In response to Akshayc

Are the VPC's and instances located in the same compartment ?

also check logs under $FWDIR/log/oracle_had.elg to see the root cause.

0 Kudos
Jeff_Engel
Employee
Employee
‎2023-10-04 10:42 AM
In response to Akshayc

Were you able to get this working?  Happy to help offline if need be.

0 Kudos
Akshayc
Explorer
‎2023-10-04 05:41 PM
In response to Jeff_Engel

hey Jeff,

 

thank for reaching out. not yet. we are stuck still at same issue. Happy to have a call or discussion if you are available.

 

Regards,

Akshay

0 Kudos
Jeff_Engel
Employee
Employee
‎2023-10-04 06:50 PM
In response to Akshayc

Hi Akshay,

Feel free to send me an email at jengel@checkpoint.com

In the meantime, one thing to check real quick is please ensure both cluster members NTP is configured and time is in sync.  API calls will not work if system time is not within 5 minutes of actual.

Best Regards!

Jeff

Nir_Shamir
Employee Employee
Employee
‎2023-10-04 10:52 PM
In response to Akshayc

Are the VPC's and instances located in the same compartment ?

also check logs under $FWDIR/log/oracle_had.elg to see the root cause.

Akshayc
Explorer
‎2023-10-06 01:10 AM
In response to Nir_Shamir

hi Nir,

 

We ran this and found out below in the logs. We dont what the last error means

2023-09-21 14:48:46,814 OCI-CP-HA INFO Traceback (most recent call last):
File "/etc/fw/scripts/oracle_had.py", line 258, in main
reconf()
File "/etc/fw/scripts/oracle_had.py", line 72, in reconf
oci_client = oci.OCI()
File "/opt/CPsuite-R81.20/fw1/scripts/oci.py", line 292, in __init__
identity = metadata('identity/')
File "/opt/CPsuite-R81.20/fw1/scripts/oci.py", line 122, in metadata
resp.reason, data)
TypeError: __init__() missing 1 required positional argument: 'body'

does this ring any bell?

regards,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events