This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Advisor
‎2025-02-12 04:22 AM
Jump to solution

VRRP not enabled: R81.20 ClusterXL with VRRP

Hi all,

 

I am trying to test ClusterXL with VRRP as High Availability method.

I read some documents which says all I have to do in order to set it up is just to make ClusterXL cluster in a normal way, except for High Availability mode; VRRP.

 

I have already had one of cluster with ClusterXL in my lab, so I changed HA mode into VRRP just after I configured Advanced VRRP in GAiA Portal.

 

One of my coworkers told me that I can make sure HA mode by looking at the output of "cphaprob state".

I can clearly confirm the output changes before and after the configuration above.

 

Yet, #show vrrp returns me "VRRP not enabled".

Is this expected output in this occasion?

 

Both GW are managed by one SMS.

R81.20 without any JHF.

 

I did the following, which I believe it is how you configure VRRP in GAiA Portal:

1. In Advanced VRRP section, check Monitor Firewall State

2. Add Virtual Routers as follows

VRID: 1  Interface: eth0  VRRP Mode: VRRP  Priority: 100  Hello Interval: 1  Preempt:  Yes

Auto-deactivation: No  Backup Addresses: None  Monitored Interfaces:  eth1 (delta: 10)

 

Priority of vRouter in standby VM is set to 99.

 

 

Any comments would be more than welcome!

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
1 Solution

Accepted Solutions
saitoh
Advisor
‎2025-02-13 12:32 AM
Jump to solution

I solved this by adding backup address as follows.

 

ClusterXL VIP for eth0: 10.31.10.113

vRouter 1 backup address: 10.31.10.113

 

Then #show vrrp returns VRRP state!

What is this "backup address" ? no idea what this address is used in VRRP function.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor

View solution in original post

7 Replies
Lesley
MVP Gold
MVP Gold
‎2025-02-12 12:04 PM
Jump to solution

What steps you have followed?

This one?

https://support.checkpoint.com/results/sk/sk92061

And why VRRP if I may ask? See for limitations

https://support.checkpoint.com/results/sk/sk105170

All clusters I manage are ClusterXL and soon will be ElasticXL

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
saitoh
Advisor
‎2025-02-12 09:59 PM
In response to Lesley
Jump to solution

Dear @Lesley ,

 

Thanks for your comments.

I followed the steps below.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/VRRP-Ad...

 

One thing, I did not add backup address because I thought this is optional.

 

I would like to try ClusterXL over VRRP. That is why.

Yet, I still have confusing idea on this.

I thought they are the methods for making network redundant, one is universal and the other CP-exclusive, and

do not understand why you want to use them both...

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-02-12 12:41 PM
Jump to solution

Im with @Lesley on this one, those SKs are definitely relevantt in your case.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
saitoh
Advisor
‎2025-02-12 10:22 PM
In response to the_rock
Jump to solution

Dear @the_rock ,

 

Appreciated for your comment.

I thought I configured VRRP rightly, judging from the fact below:

 

When only ClusterXL enabled, #cphaprob state  returns the following.

Cluster Mode: New High Availability (Primary Up)
with IGMP Membership

Number     Unique Address  Assigned Load   State

1 (local)  192.168.0.1     100%            Active
2          192.168.0.2     0%              Standby

 

Then I changed HA mode to VRRP with Advanced VRRP settings done in GAiA Portal, the output changes.

Cluster Mode: Sync only (OPSEC) with IGMP Membership

Number     Unique Address  Firewall State (*)

1 (local)  192.168.0.1     Active
2          192.168.0.2     Active

(*) FW-1 monitors only the sync operation and the security policy
    Use OPSEC's monitoring tool to get the cluster status

 

Considering the outputs, I thought it is safe to say VRRP is enabled.

However #show vrrp says VRRP not enabled.

 

This is not very persuasive...

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Advisor
‎2025-02-12 10:30 PM
Jump to solution

I took routed trace on questioning cluster, and then I noticed they actually were communicating with each other, yet some necessary config might be missing.

 

image.png

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Advisor
‎2025-02-13 12:32 AM
Jump to solution

I solved this by adding backup address as follows.

 

ClusterXL VIP for eth0: 10.31.10.113

vRouter 1 backup address: 10.31.10.113

 

Then #show vrrp returns VRRP state!

What is this "backup address" ? no idea what this address is used in VRRP function.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
the_rock
MVP Diamond
MVP Diamond
‎2025-02-13 04:30 AM
In response to saitoh
Jump to solution

I could be mistaken, but I believe its similar to VIP in clusterXL.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events