- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Failover Issue with AWS deployment
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failover Issue with AWS deployment
Hi All
We have deployed Firewall in AWS in HA.
We have multiplease server configure in Static nat which is accessible from out side.
we deployed firewall in cluster, we add virtual IP as secondary IP in Active Firewall interface and other multiple IPs which used for Static NAT.
where my PRI IP:- 172.31.24.120, SEC IP :- 172.31.24.130 and vertual IP is :- 172.31.24.110
We add the route for all subnet in AWS through the active firewall Network Interface. (172.31.24.120 secondary IP 172.31.24.110)
Traffic is passing through the active firewall and everything is working fine.
when we failover the traffic from Active to Standby. after few minuted all secondary Ip is mapped with Standby Firewall network interface.
But route is not changed.
When we check the traceroute, traffic is goint through Active firewall interface 172.31.24.120. it should go through the Virtual IP (172.31.24.110)
Thats why our traffic is not working.
when we change the route manually and add the Standby Firewall Network Interface traffic started working.
and checked the Traceroute, it is going through the Virtual IP (172.31.24.110)
Please someone help me to resolve the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you deploy this as part of a CloudFormation script that we've provided or done this manually?
In general, the routes should fail over if you've deployed per the instructions: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem is my secondary IP mapped with standby IP while failover the traffic.
But only routing table is not updating after failover.
thats why traffic is not shifted to standby FW.
We are rebuilding the firewalls with new Version R80.30 then we will verify the Failover. if any face any issue let you know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
We upgrade the Firewall in R80.30,
Our network interface is not updating after failover, i aws routing table.
I am pasting python script output below, please suggest,
[Expert@N-MUILPRODCFW01:0]# $FWDIR/scripts/aws_ha_test.py
Set operation succeeded
Testing if DNS is configured...
Primary DNS server is: 172.31.23.5
Testing if DNS is working...
DNS resolving test was successful
Testing metadata connectivity...
Region : eu-west-1
VPC : vpc-c56d8ba1
Domain : amazonaws.com
Testing for IAM role...
Role: Checkpoint_Cluster_R80
Testing for IAM credentials...
IAM credentials retrieved successfully
Testing cluster interface configuration...
Cluster interface configuration tested successfully
Testing connection to ec2.eu-west-1.amazonaws.com:443...
The connection was opened successfully
Comparing the system clock to AWS
Time difference is 0:00:00.799726
The system clock is synchronized
Testing AWS interface configuration...
All tests were successful!
[Expert@N-MUILPRODCFW01:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't necessarily see it on the OS of the gateways, but reflected in AWS.
Suspect the issue is with your IAM role, particularly if you set it up manually versus using a CloudFormation script to do it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
routing checking on AWS only, and i already verified the IAM role as well.
not find any issue with IAM role its create as per SK104418
For your visibility i am pasting you IAM role Policy details below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateRoute"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would involve TAC here - AWS is only poorly documented and does change so quickly...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your update,
We already engage TAC on this let see if they can provide us solution for the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We already open a case for R77.30 with same issue.
They are working on last few months, but not able to provide us solution.
now when we raise a new case they are asking, this is new deployment so we are not going to help you.
Could you please provide you any solution for that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be using the most recent release (R80.30) in public cloud.
I believe we will be delisting R80.20 from the various marketplaces in the near future.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have a same the problem yet...but still not been resolved now....