Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Muhammad_Ali
Participant

Both security gateways are active in the Full HA cluster

Hi All,

I have configured two Checkpoint Gateways using GAIA R80.20 and added both security gateways in the Full HA cluster. After configuring the sync interface when I have check the High Availability state using "cphaprob state" command both gateways are appearing as "Active". It is not displaying secondary gateway as "Stand by" gateway. Is there any settings or configuration change required to change the secondary gateway as "Stand by"?

Thanks.

0 Kudos
37 Replies
_Val_
Admin
Admin

Make sure they are communicating on both Sync and other production interfaces. It looks like a clear split brain situation.

Another guess is that you are not using Full HA but Load Sharing physical cluster instead. In that case, it is normal.

Please post output of "cphaprob stat" command here

0 Kudos
Muhammad_Ali
Participant

Output of "cphaprob stat"

Gateway 1:

Gateway 2:

0 Kudos
_Val_
Admin
Admin

Okay. It is a split brain. They do not see each other. Are they connected to the same network on at least 1 of the interfaces?

0 Kudos
Muhammad_Ali
Participant

Yes they both are connected to the same network

0 Kudos
_Val_
Admin
Admin

Please also post "cphaconf cluster_id" get from both of them

 

0 Kudos
Muhammad_Ali
Participant

I am using R80.20 and I believe from R80.10 onwards there is a new algorithm introduced which does automatic selection for the MAC magic

0 Kudos
_Val_
Admin
Admin

Okay, need output from each for this: 

  1. fw ctl get int fwha_mac_magic

do it from expert shell

0 Kudos
Muhammad_Ali
Participant

I get this result on both gateways when I run fw ctl get int fwha_mac_magic

If you are after ClusterXL detail for both gateways then it is shown below:

Gateway 1

Gateway 2

0 Kudos
Maarten_Sjouw
Champion
Champion

Are these gateways production appliances? or do you have them setup in test in VM-Ware?

If the latter, please disable all port security features of the switch ports leading to the FW's.

Regards, Maarten
0 Kudos
Muhammad_Ali
Participant

Gateways are not production appliances yet but they will be deployed soon once HA starts working.

Yes they are running in virtual environment and I have disable all port security features but no luck.

0 Kudos
GrassF
Contributor

Hi,

I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance. This started after an upgrade from r80.20 to r80.40. Any idea how to solve this. Thank you!

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You have a R80.40 Full Management HA Cluster ? This is a deployment i would not suggest to anybody ! Better contact TAC to resolve this...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
GrassF
Contributor

Issue solved after rebooting both gateways and installing policy. No we do not have a Full Management HA Cluster.

Thank you for your reply 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Reboot is good 😎 ! The original issue was with Full Management HA cluster and you wrote: I'm having this exact same issue with R80.40 JHF 118 running on a 15000 appliance.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Raska
Advisor
Advisor

The LOST state says - The peer cluster member lost connectivity to this local cluster member (for example, while the peer cluster member is rebooted).

check policy install - fw stat, check the license and cluster membership enabled in cpconfig but it looks like a connectivity issue.

POST: cphaprob -a if, cphaprob -l list

0 Kudos
Muhammad_Ali
Participant

Currently there are no policies installed as it is new setup. Cleanup rule has been set to allow all traffic. And cluster membership is enabled in cpconfig. It can be connectivity issue but couldn't figure out where the problem will be.

The output of "cphaprob -a if" and "cphaprob -l list":

Gateway 1:

Gateway 2:

0 Kudos
_Val_
Admin
Admin

Okay, that explains it... You need to push policy for cluster to work properly. Before that, any checks are pointless. 

0 Kudos
Muhammad_Ali
Participant

I have also tested to push the policy for cluster but it didn't help either. 

0 Kudos
Maarten_Sjouw
Champion
Champion

Reboot both members and also check on the Switches if they allow Multicast.

Last but not least check with cpconfig if cluster membership is enabled.

Regards, Maarten
0 Kudos
Martin_Raska
Advisor
Advisor

I see policy installed with time and date, and pnote also shows Policy = OK, but try to install one more time, if it helps.

0 Kudos
Muhammad_Ali
Participant

Have tried to install policies number of times by making different changes but no joy.

0 Kudos
Martin_Raska
Advisor
Advisor

Try to switch to a different mode than unicast, cphaconf set_ccp broadcast, both nodes and reboot.

Send section Sync from fw ctl pstat

And also:

cphaprob syncstat
cphaprob mmagic

0 Kudos
Muhammad_Ali
Participant

Gateway 1

[Expert@gw-001:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None

Gateway 2

[Expert@gw-002:0]# cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         1
MAC forward magic: 254

Used MAC magic values: None.

0 Kudos
Martin_Raska
Advisor
Advisor

I can not see any issue.

0 Kudos
Martin_Raska
Advisor
Advisor

Pay special attention whether the cluster members are configured identically:

  • security policy (cpstat -f policy fw)
  • status of SecureXL (fwaccel stat)
  • FireWall-1 Chain Modules (fw ctl chain)
  • FireWall-1 Connections Modules (fw ctl conn)
  • enabled_blades

Else create TAC ticket, because debug is needed.

0 Kudos
HristoGrigorov

Why don't you try to use a dedicated interface for sync? It appears that you are using Cluster + Sync on eth0 and may be that is somehow confusing it?

0 Kudos
Muhammad_Ali
Participant

I did try to use dedicated interface for sync but that didn't help either, I was getting same result.

0 Kudos
Dmitry_Krupnik
Employee Alumnus
Employee Alumnus

Hello Muhammad,

Your members don't hear each other. Please check your Sync (eth0) connectivity between members, try to perform ping and tcpdump investigation. Make sure, that you are using L2 connection between your members. Check, that your environment doesn't have duplicate of the IP on the physical interfaces of the members. Check, that the "Get Topology" has been done and policy was installed after it.

0 Kudos
Jerry
Mentor
Mentor

the SYNC isn't on L2/L3 at all - those HA members does not "elect" each other respectively hence that wired indeed situation. as other already explained - they do not hear/see each other. that's all.

SYNC must be done on/via VMWare vSwitch/vMotion groups btw. Smiley Happy otherwise as if on Appliances on dedicated int.

Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events