This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ajsingh
Explorer
‎2023-11-24 06:28 AM
Jump to solution

Load balancer on port 8117 reports gw's unhealthy

Hi All,

I recently deployed R81.10 Template in Azure with HA cluster setup. After deploying first thing I checked is my NSG on ETH1 and then Load balancing status. I found Backend Load balancer is reporting Gateways Unhealthy and Gateway's are dropping traffic from ILB : 
@;2736753;[cpu_1];[fw4_2];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;
@;2736839;[cpu_3];[fw4_0];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;
@;2736912;[cpu_2];[fw4_1];fwha_cloud_should_process_probe: fw_policyloaded is 1, not replying;

 

NSG on Backend ILB is fine and allowing all communication. 

[Expert@naspdmzcpfwl1:0]# cat /etc/cloud-version
release: R81.10
take: 335
build: 991001383
platform: azure
license: byol
deployment_method: ftw
template_name: ha
template_version: 20231002
template_type: marketplace
maas_usage: 0

 

[Expert@naspdmzcpfwl1:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_unicast_only=1
fwmultik_sync_processing_enabled=0
fw_aws_mode=1
fw_https_consider_nat=1
fw_xff_geo=1
cloud_balancer_ip1=0xa83f8110
fw_azure_mode=1
fwha_dead_timeout_multiplier=20
fwha_if_problem_tolerance=200
cloud_balancer_port=8117

 

Any help? I have open TAC case too but thought to ask experts here too for faster resolution. 

0 Kudos
1 Solution

Accepted Solutions
natanelm
Employee
Employee
‎2023-11-26 12:11 AM
In response to ajsingh
Jump to solution

Hi @ajsingh,

Let me see if I understood correctly: you are trying to create the cluster object in the smart console, but you cannot communicate with the gateway on ETH1 (SIC is failing). Is your management server trying to access the gateway through ETH1?

For the health probes, CloudGuard Gateways will only respond to them after the policy installation, and only the active member will do so (the standby member does not respond by design).

Please refer to step 5 in our guide to set up the GW objects in the SmartConsole: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Clust... 

I hope this clarifies your question.

Thanks,
Natanel

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-11-24 06:36 AM
Jump to solution

Maybe this would help?

Kind regards,

Andy

https://community.checkpoint.com/t5/Cloud-Network-Security/Azure-cloudguard-VMSS-health-probes-on-81...

0 Kudos
ajsingh
Explorer
‎2023-11-24 06:41 AM
In response to the_rock
Jump to solution

Hi,

I am using HA cluster Template. Right now I am unable to reach my gateway on ETH1 and hence no sic is established yet. I wanted to make SIC on ETH1 only so comms to firewall stays internal. 

I have default policy on firewalls yet since it is a brand new setup and i have tried to unload policy too but no success. 

0 Kudos
the_rock
Legend
Legend
‎2023-11-24 06:44 AM
In response to ajsingh
Jump to solution

Ah, now I got it. Well, in that case, we need to figure out why. Can you do traceroute to see why it fails? Did you do any captures to examine where it might be getting "stuck"?

Andy

0 Kudos
ajsingh
Explorer
‎2023-11-24 06:47 AM
In response to the_rock
Jump to solution

I do see traffic coming to my Eth1 on port 8117 but no reply from firewall. I just unloaded the policy too but same behavior . as soon as request reached ILB , its lost. 

0 Kudos
ajsingh
Explorer
‎2023-11-24 06:51 AM
In response to ajsingh
Jump to solution

IS ILB supposed to send traffic from below ip or from 10.x.x.5 IP? 

168.63.129.16.60721 > 10.x.x.5.8117: Flags [SEW], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
09:46:19.059523 IP 168.63.129.16.60721 > 10.x.x.5.8117: Flags [SEW], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
09:46:21.074660 IP 168.63.129.16.60721 > 10.x.x.5.8117: Flags [S], seq 585445089, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

0 Kudos
the_rock
Legend
Legend
‎2023-11-24 06:52 AM
In response to ajsingh
Jump to solution

Wait, do you have ILB and ELB or just ILB?

Andy

0 Kudos
natanelm
Employee
Employee
‎2023-11-26 12:11 AM
In response to ajsingh
Jump to solution

Hi @ajsingh,

Let me see if I understood correctly: you are trying to create the cluster object in the smart console, but you cannot communicate with the gateway on ETH1 (SIC is failing). Is your management server trying to access the gateway through ETH1?

For the health probes, CloudGuard Gateways will only respond to them after the policy installation, and only the active member will do so (the standby member does not respond by design).

Please refer to step 5 in our guide to set up the GW objects in the SmartConsole: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Clust... 

I hope this clarifies your question.

Thanks,
Natanel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events