Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

ClusterXL issues after carrying out steps in sk43807

Hi all, recently installed a new installation of R80.40 - one mgmt server, two g/ways in a cluster (clusterXL) - we have had an issue since the start retrieving IPS update, anti-bot, NTP from the passive gateway.  If you switch them around then the issue remains on the passive so it's not policy.  Digging around on these forums lead me to try the steps listed in sk43807 - https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Connectivity-issues-from-standby-...

as this appeared to help others (albeit on R80.30).  Whilst it has indeed resolved the issue of the updates, time sync etc to the passive gway.  An unexpected side affect is that clusterXL is not working correctly.

 

I also cannot now connect to the web interface of the passive node, it does not time out or error - it just hangs when attempting to connect.    I have rebooted the passive gateway and it had no affect. 

Output below from the cli, which is still reachable: -

cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 10.0.110.2 0% INIT SSSLFW02-pri
2 10.0.110.3 100% ACTIVE SSSLFW02-sec


Active PNOTEs: IAC, HAINIT

Last member state change event:
Event Code: CLUS-112101
State change: INIT
Reason for state change: FULLSYNC PNOTE
Event time: Thu May 14 11:38:05 2020

Cluster failover count:
Failover counter: 0
Time of counter reset: Tue May 5 14:06:38 2020 (reboot)


[Expert@SSSLFW02-pri:0]# cphaprob -i list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem (non-blocking)

Device Name: HA Initialization
Current state: initializing

 

any help appreciated

 

0 Kudos
2 Replies
Highlighted

The non-active member in your cluster appears to be stuck in a HA Init state; that member won't interact with the network at all until it completes the initialization and goes standby to ensure it doesn't mess things up before getting the "lay of the land" in the cluster.  It seems to be stuck trying to get an initial full sync from the active member, check your sync network and associated configuration.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Ivory

Thanks Tim, after being frustrated by this yesterday - the issue corrected itself after about two hours of being left alone.

To be clear I changed nothing in the ClusterXL configuration which was working fine up until that point.  I added to the table.def file on the security management server port 80,443,53,123 and pushed the policy as per the instructions in sk43807.  Initially all was good then the clustering stopped.

 

This is a virtual deployment on VMware, perhaps I was inpatient with it as i did reboot the passive and maybe taht caused more problems.  This is the second time i've seen issues with ClusterXL having a wobble when something is changed at OS level.  

 

I'm probably being punished for going straight to R80.40.. but other than these couple of niggles it's been great, so fingers crossed now we won't see anything further.

 

Thanks for taking the time to reply

 

PS: to add, i've failed over and failed back a couple of times this morning, and no issues

0 Kudos