Output of "cphaprob stat"

Gateway 1:

Gateway 2:

Okay. It is a split brain. They do not see each other. Are they connected to the same network on at least 1 of the interfaces?

Yes they both are connected to the same network

Please also post "cphaconf cluster_id" get from both of them

I am using R80.20 and I believe from R80.10 onwards there is a new algorithm introduced which does automatic selection for the MAC magic

Okay, need output from each for this: 

1. fw ctl get int fwha_mac_magic

do it from expert shell

I get this result on both gateways when I run fw ctl get int fwha_mac_magic

If you are after ClusterXL detail for both gateways then it is shown below:

Gateway 1

Gateway 2

Are these gateways production appliances? or do you have them setup in test in VM-Ware?

If the latter, please disable all port security features of the switch ports leading to the FW's.

Gateways are not production appliances yet but they will be deployed soon once HA starts working.

Yes they are running in virtual environment and I have disable all port security features but no luck.

Hi,

I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance. This started after an upgrade from r80.20 to r80.40. Any idea how to solve this. Thank you!

You have a R80.40 Full Management HA Cluster ? This is a deployment i would not suggest to anybody ! Better contact TAC to resolve this...

Issue solved after rebooting both gateways and installing policy. No we do not have a Full Management HA Cluster.

Thank you for your reply 🙂

Reboot is good 8) ! The original issue was with Full Management HA cluster and you wrote: I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance.

Currently there are no policies installed as it is new setup. Cleanup rule has been set to allow all traffic. And cluster membership is enabled in cpconfig. It can be connectivity issue but couldn't figure out where the problem will be.

The output of "cphaprob -a if" and "cphaprob -l list":

Gateway 1:

Gateway 2:

Okay, that explains it... You need to push policy for cluster to work properly. Before that, any checks are pointless. 

I have also tested to push the policy for cluster but it didn't help either. 

Reboot both members and also check on the Switches if they allow Multicast.

Last but not least check with cpconfig if cluster membership is enabled.

Have tried to install policies number of times by making different changes but no joy.

Gateway 1

[Expert@gw-001:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None

Gateway 2

[Expert@gw-002:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None.

I can not see any issue.

Pay special attention whether the cluster members are configured identically:

• security policy (cpstat -f policy fw)
• status of SecureXL (fwaccel stat)
• FireWall-1 Chain Modules (fw ctl chain)
• FireWall-1 Connections Modules (fw ctl conn)
• enabled_blades

Else create TAC ticket, because debug is needed.

I did try to use dedicated interface for sync but that didn't help either, I was getting same result.