This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abhishek_Kumar1
Collaborator
‎2019-09-05 01:21 PM

Failover Issue with AWS deployment

Hi All

 

We have deployed Firewall in AWS in HA.

We have multiplease server configure in Static nat which is accessible from out side.

we deployed firewall in cluster, we add virtual IP as secondary IP in Active Firewall interface and other multiple IPs which used for Static NAT.

where my PRI IP:- 172.31.24.120, SEC IP :- 172.31.24.130 and vertual IP is :- 172.31.24.110

We add the route for all subnet in AWS through the active firewall Network Interface. (172.31.24.120 secondary IP 172.31.24.110)

Traffic is passing through the active firewall and everything is working fine.

when we failover the traffic from Active to Standby. after few minuted all secondary Ip is mapped with Standby Firewall network interface.

But route is not changed.

When we check the traceroute, traffic is goint through Active firewall interface 172.31.24.120. it should go through the Virtual IP (172.31.24.110)

Thats why our traffic is not working.

when we change the route manually and add the Standby Firewall Network Interface traffic started working.

and checked the Traceroute, it is going through the Virtual IP (172.31.24.110)

Please someone help me to resolve the issue.

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2019-09-09 03:27 PM

What version/build of gateway?
Did you deploy this as part of a CloudFormation script that we've provided or done this manually?
In general, the routes should fail over if you've deployed per the instructions: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-09-10 03:07 AM
In response to PhoneBoy

We are using R80.20 version, and we deployed manually.
Problem is my secondary IP mapped with standby IP while failover the traffic.
But only routing table is not updating after failover.
thats why traffic is not shifted to standby FW.
We are rebuilding the firewalls with new Version R80.30 then we will verify the Failover. if any face any issue let you know.
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-09-11 08:12 AM
In response to Abhishek_Kumar1

Hi 

We upgrade the Firewall in R80.30,

Our network interface is not updating after failover, i aws routing table.

I am pasting python script output below, please suggest, 

[Expert@N-MUILPRODCFW01:0]# $FWDIR/scripts/aws_ha_test.py
Set operation succeeded

Testing if DNS is configured...
Primary DNS server is: 172.31.23.5

Testing if DNS is working...
DNS resolving test was successful

Testing metadata connectivity...
Region : eu-west-1
VPC : vpc-c56d8ba1
Domain : amazonaws.com

Testing for IAM role...
Role: Checkpoint_Cluster_R80

Testing for IAM credentials...
IAM credentials retrieved successfully

Testing cluster interface configuration...
Cluster interface configuration tested successfully

Testing connection to ec2.eu-west-1.amazonaws.com:443...
The connection was opened successfully

Comparing the system clock to AWS
Time difference is 0:00:00.799726
The system clock is synchronized

Testing AWS interface configuration...

All tests were successful!
[Expert@N-MUILPRODCFW01:0]#

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-11 05:23 PM
In response to Abhishek_Kumar1

How are you checking the routing table?
You won't necessarily see it on the OS of the gateways, but reflected in AWS.
Suspect the issue is with your IAM role, particularly if you set it up manually versus using a CloudFormation script to do it.
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-09-12 03:17 AM
In response to PhoneBoy

routing checking on AWS only, and i already verified the IAM role as well.

not find any issue with IAM role its create as per SK104418

For your visibility i am pasting you IAM role Policy details below.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateRoute"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

 

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-12 07:18 AM
In response to Abhishek_Kumar1

I would involve TAC here - AWS is only poorly documented and does change so quickly...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-09-12 07:59 AM
In response to G_W_Albrecht

Thanks for your update,

We already engage TAC on this let see if they can provide us solution for the same.

0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-09-12 09:31 AM
In response to Abhishek_Kumar1

We already open a case for R77.30 with same issue.

They are working on last few months, but not able to provide us solution.

now when we raise a new case they are asking, this is new deployment so we are not going to help you.

Could you please provide you any solution for that?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-12 11:47 AM
In response to Abhishek_Kumar1

The solution is not to use R77.30, as it is End of Support as of this month.
You should be using the most recent release (R80.30) in public cloud.
I believe we will be delisting R80.20 from the various marketplaces in the near future.
0 Kudos
Bill_wang
Explorer
‎2020-06-30 02:51 AM
In response to PhoneBoy

we have a same the problem yet...but still not been resolved now....

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events