Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Muhammad_Ali
Participant

Both security gateways are active in the Full HA cluster

Hi All,

I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?

Thanks.

0 Kudos
37 Replies
Steve_Macfarlan
Participant

Hello Muhammad,

Your problem might not be with your Check Point cluster members.  When I suffered from this issue, it was an advanced network adapter feature 'enable MAC address spoofing' needed to be checked in the Hyper-V configuration.

KHATIR_Abdessam
Explorer

Hello Muhammad, 

Check the sync with #fw ctl pstat on the both unit, CCP packet capture udp 8116 #tcpdump -nnei port 8116 and try to disable cluster membership from cpconfig, reboot, enable it, reboot for the both members, 

 

In the end list all the kernel parameters and theirs values with the following command and compare the value with winmerge or egrep with "mac", "ccp", "cluster" key 

#modinfo -p $FWDIR/boot/modules/fw_kern_64*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_kernel_parameters.txt 2>> /var/log/fw_kernel_parameters.txt

 

#egrep "ccp"  /var/log/fw_kernel_parameters.txt

 

Regards, 

Abdessamed

0 Kudos
Muhammad_Ali
Participant

Thanks to everyone who replied to this post and assist me in troubleshooting. After investigating further I found that there was nothing wrong with the Checkpoint cluster members / HA configuration but it was VM infrastructure which had the issues. Infrastructure team has made some changes on the HA VLAN Port-Group in vCenter. After this change one cluster member became "ACTIVE" and other as "STANDBY".

jk7
Explorer

Hi Ali, I am having the same issue, can you share what exactly the issue is, and what change made on HA VLAN Port-Group in vCenter? much appreciated!
0 Kudos
Teet
Explorer

Hello, I had the same issue with R77.30 and this helped -> https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Best-Practice-for-HA-sync-interfa...

Setting the sync interfaces vmware portgroup Promiscuous mode, MAC address changes and Forged transmits Reject -> Accept

Before the changes tcpdump also showed some cluster packets but probably the prementioned security features filtered some important ones out or something

0 Kudos
the_rock
Leader
Leader

Never mind, I should have scrolled all the way down, haha. Glad you were able to figure it out.

0 Kudos
the_rock
Leader
Leader

I would check option to use virtual MAC, as it would always be associated with no matter which one is active. Also, run below commands and let us know the outcome:

 

cphaprob state

cphaprob -a if

cphaprob list

cphaprob syncstat

 

If still no luck, maybe try do cphastop and cphastart on one of them and see what happens. Does sync show okay on both members? 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
GrassF
Participant

Issue Resolved after a Reboot of both cluster member and a Policy Push.

Thank you