Failover Issue with AWS deployment
We have deployed Firewall in AWS in HA.
We have multiplease server configure in Static nat which is accessible from out side.
we deployed firewall in cluster, we add virtual IP as secondary IP in Active Firewall interface and other multiple IPs which used for Static NAT.
where my PRI IP:- 172.31.24.120, SEC IP :- 172.31.24.130 and vertual IP is :- 172.31.24.110
We add the route for all subnet in AWS through the active firewall Network Interface. (172.31.24.120 secondary IP 172.31.24.110)
Traffic is passing through the active firewall and everything is working fine.
when we failover the traffic from Active to Standby. after few minuted all secondary Ip is mapped with Standby Firewall network interface.
But route is not changed.
When we check the traceroute, traffic is goint through Active firewall interface 172.31.24.120. it should go through the Virtual IP (172.31.24.110)
Thats why our traffic is not working.
when we change the route manually and add the Standby Firewall Network Interface traffic started working.
and checked the Traceroute, it is going through the Virtual IP (172.31.24.110)
Please someone help me to resolve the issue.
Did you deploy this as part of a CloudFormation script that we've provided or done this manually?
In general, the routes should fail over if you've deployed per the instructions: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Problem is my secondary IP mapped with standby IP while failover the traffic.
But only routing table is not updating after failover.
thats why traffic is not shifted to standby FW.
We are rebuilding the firewalls with new Version R80.30 then we will verify the Failover. if any face any issue let you know.
We upgrade the Firewall in R80.30,
Our network interface is not updating after failover, i aws routing table.
I am pasting python script output below, please suggest,
Set operation succeeded
Testing if DNS is configured...
Primary DNS server is: 172.31.23.5
Testing if DNS is working...
DNS resolving test was successful
Testing metadata connectivity...
Region : eu-west-1
VPC : vpc-c56d8ba1
Domain : amazonaws.com
Testing for IAM role...
Testing for IAM credentials...
IAM credentials retrieved successfully
Testing cluster interface configuration...
Cluster interface configuration tested successfully
Testing connection to ec2.eu-west-1.amazonaws.com:443...
The connection was opened successfully
Comparing the system clock to AWS
Time difference is 0:00:00.799726
The system clock is synchronized
Testing AWS interface configuration...
All tests were successful!
You won't necessarily see it on the OS of the gateways, but reflected in AWS.
Suspect the issue is with your IAM role, particularly if you set it up manually versus using a CloudFormation script to do it.
routing checking on AWS only, and i already verified the IAM role as well.
not find any issue with IAM role its create as per SK104418
For your visibility i am pasting you IAM role Policy details below.
We already open a case for R77.30 with same issue.
They are working on last few months, but not able to provide us solution.
now when we raise a new case they are asking, this is new deployment so we are not going to help you.
Could you please provide you any solution for that?
You should be using the most recent release (R80.30) in public cloud.
I believe we will be delisting R80.20 from the various marketplaces in the near future.