Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Both security gateways are active in the Full HA cluster

Hi All,

I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?

Thanks.

0 Kudos
30 Replies
Highlighted
Admin
Admin

Make sure they are communicating on both Sync and other production interfaces. It looks like a clear split brain situation.

Another guess is that you are not using Full HA but Load Sharing physical cluster instead. In that case, it is normal.

Please post output of "cphaprob stat" command here

0 Kudos
Highlighted
Participant

Output of "cphaprob stat"

Gateway 1:

Gateway 2:

0 Kudos
Highlighted
Admin
Admin

Okay. It is a split brain. They do not see each other. Are they connected to the same network on at least 1 of the interfaces?

0 Kudos
Highlighted
Participant

Yes they both are connected to the same network

0 Kudos
Highlighted
Admin
Admin

Please also post "cphaconf cluster_id" get from both of them

 

0 Kudos
Highlighted
Participant

I am using R80.20 and I believe from R80.10 onwards there is a new algorithm introduced which does automatic selection for the MAC magic

0 Kudos
Highlighted
Admin
Admin

Okay, need output from each for this: 

  1. fw ctl get int fwha_mac_magic

do it from expert shell

0 Kudos
Highlighted
Participant

I get this result on both gateways when I run fw ctl get int fwha_mac_magic

If you are after ClusterXL detail for both gateways then it is shown below:

Gateway 1

Gateway 2

0 Kudos
Highlighted
Champion
Champion

Are these gateways production appliances? or do you have them setup in test in VM-Ware?

If the latter, please disable all port security features of the switch ports leading to the FW's.

Regards, Maarten
0 Kudos
Highlighted
Participant

Gateways are not production appliances yet but they will be deployed soon once HA starts working.

Yes they are running in virtual environment and I have disable all port security features but no luck.

0 Kudos
Highlighted
Advisor

The LOST state says - The peer cluster member lost connectivity to this local cluster member (for example, while the peer cluster member is rebooted).

check policy install - fw stat, check the license and cluster membership enabled in cpconfig but it looks like a connectivity issue.

POST: cphaprob -a if, cphaprob -l list

0 Kudos
Highlighted
Participant

Currently there are no policies installed as it is new setup. Cleanup rule has been set to allow all traffic. And cluster membership is enabled in cpconfig. It can be connectivity issue but couldn't figure out where the problem will be.

The output of "cphaprob -a if" and "cphaprob -l list":

Gateway 1:

Gateway 2:

0 Kudos
Highlighted
Admin
Admin

Okay, that explains it... You need to push policy for cluster to work properly. Before that, any checks are pointless. 

0 Kudos
Highlighted
Participant

I have also tested to push the policy for cluster but it didn't help either. 

0 Kudos
Highlighted
Champion
Champion

Reboot both members and also check on the Switches if they allow Multicast.

Last but not least check with cpconfig if cluster membership is enabled.

Regards, Maarten
0 Kudos
Highlighted
Advisor

I see policy installed with time and date, and pnote also shows Policy = OK, but try to install one more time, if it helps.

0 Kudos
Highlighted
Participant

Have tried to install policies number of times by making different changes but no joy.

0 Kudos
Highlighted
Advisor

Try to switch to a different mode than unicast, cphaconf set_ccp broadcast, both nodes and reboot.

Send section Sync from fw ctl pstat

And also:

cphaprob syncstat
cphaprob mmagic

0 Kudos
Highlighted
Participant

Gateway 1

[Expert@gw-001:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None

Gateway 2

[Expert@gw-002:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None.

0 Kudos
Highlighted
Advisor

I can not see any issue.

0 Kudos
Highlighted
Advisor

Pay special attention whether the cluster members are configured identically:

  • security policy (cpstat -f policy fw)
  • status of SecureXL (fwaccel stat)
  • FireWall-1 Chain Modules (fw ctl chain)
  • FireWall-1 Connections Modules (fw ctl conn)
  • enabled_blades

Else create TAC ticket, because debug is needed.

0 Kudos
Highlighted

Why don't you try to use a dedicated interface for sync? It appears that you are using Cluster + Sync on eth0 and may be that is somehow confusing it?

0 Kudos
Highlighted
Participant

I did try to use dedicated interface for sync but that didn't help either, I was getting same result.

0 Kudos
Highlighted
Employee+
Employee+

Hello Muhammad,

Your members don't hear each other. Please check your Sync (eth0) connectivity between members, try to perform ping and tcpdump investigation. Make sure, that you are using L2 connection between your members. Check, that your environment doesn't have duplicate of the IP on the physical interfaces of the members. Check, that the "Get Topology" has been done and policy was installed after it.

0 Kudos
Highlighted
Leader
Leader

the SYNC isn't on L2/L3 at all - those HA members does not "elect" each other respectively hence that wired indeed situation. as other already explained - they do not hear/see each other. that's all.

SYNC must be done on/via VMWare vSwitch/vMotion groups btw. Smiley Happy otherwise as if on Appliances on dedicated int.

Jerry
0 Kudos
Highlighted
Participant

Hello Muhammad,

Your problem might not be with your Check Point cluster members.  When I suffered from this issue, it was an advanced network adapter feature 'enable MAC address spoofing' needed to be checked in the Hyper-V configuration.

Highlighted

Hello Muhammad, 

Check the sync with #fw ctl pstat on the both unit, CCP packet capture udp 8116 #tcpdump -nnei port 8116 and try to disable cluster membership from cpconfig, reboot, enable it, reboot for the both members, 

 

In the end list all the kernel parameters and theirs values with the following command and compare the value with winmerge or egrep with "mac", "ccp", "cluster" key 

#modinfo -p $FWDIR/boot/modules/fw_kern_64*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_kernel_parameters.txt 2>> /var/log/fw_kernel_parameters.txt

 

#egrep "ccp"  /var/log/fw_kernel_parameters.txt

 

Regards, 

Abdessamed

0 Kudos
Highlighted
Participant

Thanks to everyone who replied to this post and assist me in troubleshooting. After investigating further I found that there was nothing wrong with the Checkpoint cluster members / HA configuration but it was VM infrastructure which had the issues. Infrastructure team has made some changes on the HA VLAN Port-Group in vCenter. After this change one cluster member became "ACTIVE" and other as "STANDBY".

Highlighted
Explorer

Hi Ali, I am having the same issue, can you share what exactly the issue is, and what change made on HA VLAN Port-Group in vCenter? much appreciated!
0 Kudos