- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi All,
I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?
Thanks.
Make sure they are communicating on both Sync and other production interfaces. It looks like a clear split brain situation.
Another guess is that you are not using Full HA but Load Sharing physical cluster instead. In that case, it is normal.
Please post output of "cphaprob stat" command here
Output of "cphaprob stat"
Gateway 1:
Gateway 2:
Okay. It is a split brain. They do not see each other. Are they connected to the same network on at least 1 of the interfaces?
Yes they both are connected to the same network
Please also post "cphaconf cluster_id" get
from both of them
I am using R80.20 and I believe from R80.10 onwards there is a new algorithm introduced which does automatic selection for the MAC magic
Okay, need output from each for this:
fw ctl get int fwha_mac_magic
do it from expert shell
I get this result on both gateways when I run fw ctl get int fwha_mac_magic
If you are after ClusterXL detail for both gateways then it is shown below:
Gateway 1
Gateway 2
Are these gateways production appliances? or do you have them setup in test in VM-Ware?
If the latter, please disable all port security features of the switch ports leading to the FW's.
Gateways are not production appliances yet but they will be deployed soon once HA starts working.
Yes they are running in virtual environment and I have disable all port security features but no luck.
Hi,
I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance. This started after an upgrade from r80.20 to r80.40. Any idea how to solve this. Thank you!
You have a R80.40 Full Management HA Cluster ? This is a deployment i would not suggest to anybody ! Better contact TAC to resolve this...
Issue solved after rebooting both gateways and installing policy. No we do not have a Full Management HA Cluster.
Thank you for your reply 🙂
Reboot is good 8) ! The original issue was with Full Management HA cluster and you wrote: I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance.
The LOST state says - The peer cluster member lost connectivity to this local cluster member (for example, while the peer cluster member is rebooted).
check policy install - fw stat, check the license and cluster membership enabled in cpconfig but it looks like a connectivity issue.
POST: cphaprob -a if, cphaprob -l list
Currently there are no policies installed as it is new setup. Cleanup rule has been set to allow all traffic. And cluster membership is enabled in cpconfig. It can be connectivity issue but couldn't figure out where the problem will be.
The output of "cphaprob -a if" and "cphaprob -l list":
Gateway 1:
Gateway 2:
Okay, that explains it... You need to push policy for cluster to work properly. Before that, any checks are pointless.
I have also tested to push the policy for cluster but it didn't help either.
Reboot both members and also check on the Switches if they allow Multicast.
Last but not least check with cpconfig if cluster membership is enabled.
I see policy installed with time and date, and pnote also shows Policy = OK, but try to install one more time, if it helps.
Have tried to install policies number of times by making different changes but no joy.
Try to switch to a different mode than unicast, cphaconf set_ccp broadcast, both nodes and reboot.
Send section Sync from fw ctl pstat
And also:
cphaprob syncstat
cphaprob mmagic
Gateway 1
[Expert@gw-001:0]# cphaprob mmagic
Configuration mode: Automatic
Configuration phase: Stable
MAC magic: 1
MAC forward magic: 254
Used MAC magic values: None
Gateway 2
[Expert@gw-002:0]# cphaprob mmagic
Configuration mode: Automatic
Configuration phase: Stable
MAC magic: 1
MAC forward magic: 254
Used MAC magic values: None.
I can not see any issue.
Pay special attention whether the cluster members are configured identically:
cpstat -f policy fw
)fwaccel stat
)fw ctl chain
)fw ctl conn
)Else create TAC ticket, because debug is needed.
Why don't you try to use a dedicated interface for sync? It appears that you are using Cluster + Sync on eth0 and may be that is somehow confusing it?
I did try to use dedicated interface for sync but that didn't help either, I was getting same result.
Hello Muhammad,
Your members don't hear each other. Please check your Sync (eth0) connectivity between members, try to perform ping and tcpdump investigation. Make sure, that you are using L2 connection between your members. Check, that your environment doesn't have duplicate of the IP on the physical interfaces of the members. Check, that the "Get Topology" has been done and policy was installed after it.
the SYNC isn't on L2/L3 at all - those HA members does not "elect" each other respectively hence that wired indeed situation. as other already explained - they do not hear/see each other. that's all.
SYNC must be done on/via VMWare vSwitch/vMotion groups btw. otherwise as if on Appliances on dedicated int.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
14 | |
12 | |
11 | |
9 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY