Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Only one member in ClusterXL appears with "cphaprob stat" command

I have build a Full HA ClusterXL with Firewall Gateways on VM (OS GAIA R77.30).

To make sure that the cluster is working properly , I used cphaprob commands.

But with "cphaprob stat" I only see the member on which I am, as "Active" and with 100% Assigned Load.

Same issue for both members, primary or secondary.

Moreover I haven't this problem in  SmartDashboard.

What is the probleme ?

0 Kudos
5 Replies

My guess is that you didn't set the same Cluster Global ID on both members during the R77.30 post-installation wizard.   This value must match on all members of the cluster or they will refuse to cluster up with each other.  Run cphaconf cluster_id get to check this value on both members, if you need to reset the value on one of the members to match the other, use the cphaconf cluster_id set <CLUSTER_ID_VALUE> command.  

R80.10 gateway clusters use a new feature called “Automatic MAC Magic” by default to automatically derive a unique Cluster Global ID, and prevent conflicts with other gateway clusters on the same network. The status of this new feature can be checked with the cphaprob mmagic command. This feature can also be monitored from a new ClusterXL-based screen of the cpview tool on a R80.10 gateway under Advanced...ClusterXL, and is backward compatible with gateways that had their Cluster IDs configured manually in earlier versions such as R77.30.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

Thanks Tim for your response and your precision !

So I will check my Cluster Global ID and both members have the same.

Sync dedicated interface, Management dedicated interface, same cluster ID, synchronization OK... Except  cphaprob stat command, all seemed clear.

And I didn't use R80 for the time being but I keep cphaprob mmagic command in my head for later.

0 Kudos
Highlighted
Ivory

if it's still urgent 🙂
in Hyper-V NICs, used for sync, should be allowed to do MAC spoofing

0 Kudos
Highlighted

you can also check with cphaprob -a if if both members use the same method for exchanging cluster state, multicast or broadcast, when both are set to mulitcast make sure it is allowed by the VM switch.
You need to diasbale ALL security features on the firewalls' switch ports for it to work properly.
Also did you reboot both gwateways already, have you checked the setting in cpconfig?
Regards, Maarten
0 Kudos
Highlighted
Ivory

i've had the problem, described by the topic-starter,

yesterday i resolved it by switching on MAC spoofing in Hyper -v openserver NICs, then rebooted one by one and cphaprob stat started to show cluster info correctly. it seem like cluster members couldn't sync - so-called split brain. all other attributes on both cluster members are the same.

here is the explanation: 

https://community.checkpoint.com/t5/General-Topics/Both-security-gateways-are-active-in-the-Full-HA-...

 

0 Kudos