cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Odd cphaprob output

Jump to solution

Having an unusual issue with a cluster firewall interface. Firewall was rebooted and post reboot one side of the sync interface is showing an issue where the inbound is up but the outbound is down. The other side is UP & UP.

fw1-cxl1:0]# cphaprob -a if

Required interfaces: 7
Required secured interfaces: 1

eth7 Inbound: UP Outbound: DOWN (6062.3 secs) sync(secured), multicast
eth5 UP non sync(non secured), multicast (eth5.71 )
bond2 UP non sync(non secured), multicast, bond Load Sharing (bond2.32 )
bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.17 )
bond1 UP non sync(non secured), multicast, bond Load Sharing (bond1.80 )
bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.245 )
eth5 UP non sync(non secured), multicast (eth5.246 )

Any obvious (to you!) ideas what might cause this before I roll up my sleeves?

TIA

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Odd cphaprob output

Jump to solution

Just to close the circle on this. My issue turned out to be a problem with mis-matching count of CoreXL instances on both nodes. Visible under cpview 'SysInfo'. Once I matched the number of instances by changing the config in cpconfig and rebooting, the previous stable status was restored.

Why it stopped using the sync interface IP addresses while the mismatch occurred is unknown.

View solution in original post

0 Kudos
4 Replies
Highlighted

Re: Odd cphaprob output

Jump to solution

What is the physical setup of the sync interface?  Just an Ethernet cable or connected through a switch?

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Odd cphaprob output

Jump to solution

igmp snooping on switch side could be a cause too.
you can verify that by setting the cluster to unicast or broadcast for testing purpose.
See sk20576.

0 Kudos
Highlighted

Re: Odd cphaprob output

Jump to solution

Just to close the circle on this. My issue turned out to be a problem with mis-matching count of CoreXL instances on both nodes. Visible under cpview 'SysInfo'. Once I matched the number of instances by changing the config in cpconfig and rebooting, the previous stable status was restored.

Why it stopped using the sync interface IP addresses while the mismatch occurred is unknown.

View solution in original post

0 Kudos
Highlighted

Re: Odd cphaprob output

Jump to solution
Connected via a switch by the bye, but not germane to the issue in this case as the interfaces were not down, except for CP HA.
0 Kudos