This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JED
Participant
‎2025-04-07 05:03 AM

Checkpoint 23500 VSX

Checkpoint 23500 VSX  Cluster  and Vs"X"  Cluster states.

================================================

 

Hi community , I have the following condition on my 23500  and would appreciate advice / support on what the condition is or how the correct behavior should be?

 

23500 VSX Set up
I have two 23500 set up as a cluster.
on each there exists
Vs0
Vs1 with Gateway config
Vs2 with gateway config
Vs3 named with no gateway config
Vs4 named with no gateway config

Checking the Operational state on the Primary GW the output indicates


1 (local) 169.254.1.1 100% ACTIVE PRIMARY
2 169.254.1.2 0% STANDBY SECONDARY


Checking the Operational state on the Secondary GW the output indicates

1 169.254.1.1 100% ACTIVE PRIMARY
2 (local) 169.254.1.2 0% STANDBY SECONDARY

This indictes the Condition that one would expect.
Then further down in the outputs the state of the four virtual Gateway states is as shown

On Primary

Virtual Devices Status on each Cluster Member
=============================================

ID | Weight| Pri_ | Sec_
| | VSX | VSX
| | [local] |
-------+-------+-----------+-----------
1 | 10 | STANDBY | ACTIVE
4 | 10 | STANDBY | ACTIVE
---------------+-----------+-----------
Active | 0 | 2
Weight | 0 | 20
Weight (%) | 0 | 100


On SECONDARY

Virtual Devices Status on each Cluster Member
=============================================

ID | Weight| Pri_ | Sec_
| | VSX | VSX
| | | [local]
-------+-------+-----------+-----------
1 | 10 | STANDBY | ACTIVE
4 | 10 | STANDBY | ACTIVE
---------------+-----------+-----------
Active | 0 | 2
Weight | 0 | 20
Weight (%) | 0 | 100


ON PRIMARY
show virtual-system all
Virtual systems list
VS ID VS NAME
0 0
1 GW1
2 GW2
3 GW3
4 GW4

ON SECONDARY

show virtual-system all
Virtual systems list
VS ID VS NAME
0 0
1 GW1
2 GW2
3 GW3
4 GW4

==

Checking each VSX state :

On PRIMARY


GW:1> cphaprob stat

Cluster Mode: Virtual System Load Sharing (Primary Up)

ID Unique Address Assigned Load State Name

1 (local) 169.254.1.1 0% STANDBY PRIMARY
2 169.254.1.2 100% ACTIVE SECONDARY


GW:2> cphaprob stat

HA module not started.

GW:3> cphaprob stat

HA module not started.

GW4:4> cphaprob stat

Cluster Mode: Virtual System Load Sharing (Primary Up)

ID Unique Address Assigned Load State Name

1 (local) 169.254.1.1 0% STANDBY PRIMARY
2 169.254.1.2 100% ACTIVE SECONDARY


Checking each VSX state :

On SECONDARY

GW:1> cphaprob stat

Cluster Mode: Virtual System Load Sharing (Primary Up)

ID Unique Address Assigned Load State Name

1 169.254.1.1 0% STANDBY PRIMARY
2 (local) 169.254.1.2 100% ACTIVE SECONDARY

GW:2> cphaprob stat

HA module not started.

GW:3> cphaprob stat

HA module not started.


GW:4> cphaprob stat

Cluster Mode: Virtual System Load Sharing (Primary Up)

ID Unique Address Assigned Load State Name

1 169.254.1.1 0% STANDBY PRIMARY
2 (local) 169.254.1.2 100% ACTIVE SECONDARY

 

looking at the above it seem to show that the HA Module is not started.
The issue here is that following the initial install ( 8 months ago) we observed that all the Gateway
were originally showing as active on either one of the two available gateways as ACTIVE.

Now following a re-build of the Secondary Gateway we are experiencing the " split brain" scenario
where some of the virtual Gateways are showing as active on GW Primary and on GW Secondary although when
checking in Virtual System zero the state of the Gateway is showing as Active on the Primary.

( From memory all the VS were originally showing as Active on the Instance of VS0 Active but now
we see this split in the Active Control)

Can anyone on here possibly advise what the issue may be or if there is any configuration that may have been missed
or incorrectly deployed?

SW Release: HOTFIX_R81_10_JHF_T150_829_MAIN


Thanks
JED

 

 

0 Kudos
2 Replies
Martijn
Advisor
Advisor
‎2025-04-07 06:01 AM

Jed,

What do you mean by 'no gateway config'. Can you share more information on the cluster and VS's?

vsx stat -v
cphaprob -a if on all VS's
cphaprob -a list on all VS's

With fw monitor or tcpdump, do you see CCP packets in the interfaces?

Do you consider to upgrade to the recommended take for R81.10?  Maybe needed if you want to involve TAC.

Which gateway is really processing the traffic?

Regards,
Martijn




0 Kudos
emmap
Employee
Employee
‎2025-04-07 07:34 PM

I don't see any split brain from your outputs there, just that the VSs are active on the second gateway. Would have to check the VSLS priorities to see if that's unexpected. As to why VS 2 and 3 are stopped I can't tell from here - a 'vsx stat -v' output (remove any PII from it) would help so that we can see what kind of virtual device they are. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events