Both security gateways are active in the Full HA c... - Page 2

Muhammad_Ali · ‎2019-01-08

Hi All,

I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?

Thanks.

eth4_ · ‎2019-01-10

Hello Muhammad,

Your problem might not be with your Check Point cluster members. When I suffered from this issue, it was an advanced network adapter feature 'enable MAC address spoofing' needed to be checked in the Hyper-V configuration.

KHATIR_Abdessam · ‎2019-01-10

Hello Muhammad,

Check the sync with #fw ctl pstat on the both unit, CCP packet capture udp 8116 #tcpdump -nnei port 8116 and try to disable cluster membership from cpconfig, reboot, enable it, reboot for the both members,

In the end list all the kernel parameters and theirs values with the following command and compare the value with winmerge or egrep with "mac", "ccp", "cluster" key

#modinfo -p $FWDIR/boot/modules/fw_kern_64*.o | sort -u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_kernel_parameters.txt 2>> /var/log/fw_kernel_parameters.txt

#egrep "ccp" /var/log/fw_kernel_parameters.txt

Regards,

Abdessamed

Muhammad_Ali · ‎2019-01-20

Thanks to everyone who replied to this post and assist me in troubleshooting. After investigating further I found that there was nothing wrong with the Checkpoint cluster members / HA configuration but it was VM infrastructure which had the issues. Infrastructure team has made some changes on the HA VLAN Port-Group in vCenter. After this change one cluster member became "ACTIVE" and other as "STANDBY".

jk7 · ‎2020-01-30

Hi Ali, I am having the same issue, can you share what exactly the issue is, and what change made on HA VLAN Port-Group in vCenter? much appreciated!

Teet · ‎2020-03-06

Hello, I had the same issue with R77.30 and this helped -> https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Best-Practice-for-HA-sync-interfa...

Setting the sync interfaces vmware portgroup Promiscuous mode, MAC address changes and Forged transmits Reject -> Accept

Before the changes tcpdump also showed some cluster packets but probably the prementioned security features filtered some important ones out or something

the_rock · ‎2021-06-28

Never mind, I should have scrolled all the way down, haha. Glad you were able to figure it out.

Best,
Andy

the_rock · ‎2021-06-28

I would check option to use virtual MAC, as it would always be associated with no matter which one is active. Also, run below commands and let us know the outcome:

cphaprob state

cphaprob -a if

cphaprob list

cphaprob syncstat

If still no luck, maybe try do cphastop and cphastart on one of them and see what happens. Does sync show okay on both members?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Best,
Andy

GrassF · ‎2021-07-01

Issue Resolved after a Reboot of both cluster member and a Policy Push.

Thank you

Are you a member of CheckMates?

Both security gateways are active in the Full HA cluster