cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Both security gateways are active in the Full HA cluster

Hi All,

I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?

Thanks.

0 Kudos
28 Replies

Re: Both security gateways are active in the Full HA cluster

Make sure they are communicating on both Sync and other production interfaces. It looks like a clear split brain situation.

Another guess is that you are not using Full HA but Load Sharing physical cluster instead. In that case, it is normal.

Please post output of "cphaprob stat" command here

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Output of "cphaprob stat"

Gateway 1:

Gateway 2:

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Okay. It is a split brain. They do not see each other. Are they connected to the same network on at least 1 of the interfaces?

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Yes they both are connected to the same network

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Please also post "cphaconf cluster_id" get from both of them

 

0 Kudos

Re: Both security gateways are active in the Full HA cluster

I am using R80.20 and I believe from R80.10 onwards there is a new algorithm introduced which does automatic selection for the MAC magic

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Okay, need output from each for this: 

  1. fw ctl get int fwha_mac_magic

do it from expert shell

0 Kudos

Re: Both security gateways are active in the Full HA cluster

I get this result on both gateways when I run fw ctl get int fwha_mac_magic

If you are after ClusterXL detail for both gateways then it is shown below:

Gateway 1

Gateway 2

0 Kudos
Maarten_Sjouw
Platinum

Re: Both security gateways are active in the Full HA cluster

Are these gateways production appliances? or do you have them setup in test in VM-Ware?

If the latter, please disable all port security features of the switch ports leading to the FW's.

Regards, Maarten
0 Kudos

Re: Both security gateways are active in the Full HA cluster

Gateways are not production appliances yet but they will be deployed soon once HA starts working.

Yes they are running in virtual environment and I have disable all port security features but no luck.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

The LOST state says - The peer cluster member lost connectivity to this local cluster member (for example, while the peer cluster member is rebooted).

check policy install - fw stat, check the license and cluster membership enabled in cpconfig but it looks like a connectivity issue.

POST: cphaprob -a if, cphaprob -l list

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Currently there are no policies installed as it is new setup. Cleanup rule has been set to allow all traffic. And cluster membership is enabled in cpconfig. It can be connectivity issue but couldn't figure out where the problem will be.

The output of "cphaprob -a if" and "cphaprob -l list":

Gateway 1:

Gateway 2:

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Okay, that explains it... You need to push policy for cluster to work properly. Before that, any checks are pointless. 

0 Kudos

Re: Both security gateways are active in the Full HA cluster

I have also tested to push the policy for cluster but it didn't help either. 

0 Kudos
Maarten_Sjouw
Platinum

Re: Both security gateways are active in the Full HA cluster

Reboot both members and also check on the Switches if they allow Multicast.

Last but not least check with cpconfig if cluster membership is enabled.

Regards, Maarten
0 Kudos

Re: Both security gateways are active in the Full HA cluster

I see policy installed with time and date, and pnote also shows Policy = OK, but try to install one more time, if it helps.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Have tried to install policies number of times by making different changes but no joy.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Try to switch to a different mode than unicast, cphaconf set_ccp broadcast, both nodes and reboot.

Send section Sync from fw ctl pstat

And also:

cphaprob syncstat
cphaprob mmagic

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Gateway 1

[Expert@gw-001:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None

Gateway 2

[Expert@gw-002:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

I can not see any issue.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Pay special attention whether the cluster members are configured identically:

  • security policy (cpstat -f policy fw)
  • status of SecureXL (fwaccel stat)
  • FireWall-1 Chain Modules (fw ctl chain)
  • FireWall-1 Connections Modules (fw ctl conn)
  • enabled_blades

Else create TAC ticket, because debug is needed.

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Why don't you try to use a dedicated interface for sync? It appears that you are using Cluster + Sync on eth0 and may be that is somehow confusing it?

0 Kudos

Re: Both security gateways are active in the Full HA cluster

I did try to use dedicated interface for sync but that didn't help either, I was getting same result.

0 Kudos
Employee+
Employee+

Re: Both security gateways are active in the Full HA cluster

Hello Muhammad,

Your members don't hear each other. Please check your Sync (eth0) connectivity between members, try to perform ping and tcpdump investigation. Make sure, that you are using L2 connection between your members. Check, that your environment doesn't have duplicate of the IP on the physical interfaces of the members. Check, that the "Get Topology" has been done and policy was installed after it.

0 Kudos
Jerry
Gold

Re: Both security gateways are active in the Full HA cluster

the SYNC isn't on L2/L3 at all - those HA members does not "elect" each other respectively hence that wired indeed situation. as other already explained - they do not hear/see each other. that's all.

SYNC must be done on/via VMWare vSwitch/vMotion groups btw. Smiley Happy otherwise as if on Appliances on dedicated int.

Jerry
0 Kudos

Re: Both security gateways are active in the Full HA cluster

Hello Muhammad,

Your problem might not be with your Check Point cluster members.  When I suffered from this issue, it was an advanced network adapter feature 'enable MAC address spoofing' needed to be checked in the Hyper-V configuration.

Re: Both security gateways are active in the Full HA cluster

Hello Muhammad, 

Check the sync with #fw ctl pstat on the both unit, CCP packet capture udp 8116 #tcpdump -nnei port 8116 and try to disable cluster membership from cpconfig, reboot, enable it, reboot for the both members, 

 

In the end list all the kernel parameters and theirs values with the following command and compare the value with winmerge or egrep with "mac", "ccp", "cluster" key 

#modinfo -p $FWDIR/boot/modules/fw_kern_64*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_kernel_parameters.txt 2>> /var/log/fw_kernel_parameters.txt

 

#egrep "ccp"  /var/log/fw_kernel_parameters.txt

 

Regards, 

Abdessamed

0 Kudos

Re: Both security gateways are active in the Full HA cluster

Thanks to everyone who replied to this post and assist me in troubleshooting. After investigating further I found that there was nothing wrong with the Checkpoint cluster members / HA configuration but it was VM infrastructure which had the issues. Infrastructure team has made some changes on the HA VLAN Port-Group in vCenter. After this change one cluster member became "ACTIVE" and other as "STANDBY".