Solved: Sync interface on 80.30 never comes up

woee · ‎2022-07-25

Hello,

I have set up a HA cluster (2 gw + 1 mgmt) running 81.10 and everything is working fine. This is running on an ESXi server. When I set up the same cluster but in version 80.30, the sync interface never comes up. The HA cluster actually runs in split brain, as they cannot communicate since the sync interface never comes up. I have tested different configuration settings, but the ClusterXL is always failing to be established.

- I have a /30 subnet on the sync interface, making it a unique sync network (and it is the lowest vlan).
- On Gaia all interfaces are up, I can ping between them just fine to any interface, also the sync interface.
- Access policy contains just 1 rule to allow anything.
- I have the all-in-one evaluation license on all servers.
- In the logs I cannot see anything but the fact that the sync interface is down on both sides.
- Via cpconfig I removed each member (option 6) and joined again after reboot.
- I recreated the sic trust, changed every possible setting for anti-spoofing.
- I removed the cluster object and recreated it again, no effect.
- I used vmxnet3 and E1000 interfaces on the virtual machines.
- I used different subnets and IP addresses, but same result.
- Changed CCP mode to broadcast, unicast, auto, all same result (now it is again auto/unicast).
- ClusterXL is installed on the gateways.
- I used the wizard to create the cluster.
- I reinstalled the servers to be sure but the same result is noticed.

The only way to get the interfaces in an UP state, is when I set the first mgmt interface to cluster+sync. When I do this the interfaces come up (sometimes), but there is still no traffic between them to establish a proper HA cluster.

I am new to Checkpoint and cannot find any other info to troubleshoot further. I've taken a look at the log files, but cannot find a log file about the sync interface and the HA mechanism (not in fwd.elg or messages or any other file). Is there a log file where you can see the servers trying to establish the cluster or why the sync interfaces don't come up for HA? These interfaces are up and working, they just don't do HA.

Is there something obvious I am missing on the 80.30 that is different from the 81.10?

Thank you!
Wouter

Chris_Atkinson · ‎2022-07-26

R80.40 and above is less strict on the requirements...

Do you have all the following in place: sk101214

CCSM R77/R80/ELITE

View solution in original post

_Val_ · ‎2022-07-26

Double check that your clusterID on R80.30 is set to the same number on both cluster members.

woee · ‎2022-07-26

Thanks, great pointing out the clusterid, makes sense if there is a mismatch 2 different clusters will be formed. I don't know how to get this id. Do you know an easy way to verify this on 80.30?

[Expert@FW1:0]# cphaconf cluster_id get
cphaconf cluster_id set\get is not supported in this version.
For more details, please refer to sk25977.

_Val_ · ‎2022-07-26

from clish:

show cluster mmagic

woee · ‎2022-07-26

So what is the clusterID in there?

FW1> show cluster mmagic

Configuration mode: Automatic
Configuration phase: Stable

MAC magic: 1
MAC forward magic: 254

Used MAC magic values: None.

Chris_Atkinson · ‎2022-07-26

R80.40 and above is less strict on the requirements...

Do you have all the following in place: sk101214

CCSM R77/R80/ELITE

woee · ‎2022-07-26

Thank you. When browsing the SKs and forum, I didn't stumble upon this. I verified and most of the 3 settings were rejected. I have reconfigured the sync interface with a port group that has these settings enabled. Immediately, the interfaces came up, the cluster formed and I have a working active/standby setup on 80.30. I was hoping it was not CP related.

That was fast! Thank you! Saves me at least some hours.

_Val_ · ‎2022-07-26

@woee great to hear. you can ignore ClusterID then 🙂

woee · ‎2022-07-26

Yes, but now I need to know. 🙂

Are you a member of CheckMates?

Sync interface on 80.30 never comes up