This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert_Ellis1
Contributor
‎2021-05-11 09:03 AM

Cloudguard Cluster not receiving traffic

We are experiencing an issue with a HA Cloudguard Cluster

The cluster is in the standard, templated configuration

Traffic targeting the front-end Azure Load Balancer is never seen on either the active or non-active cluster member

For example, using this :

 fw monitor -e 'accept dport=8080;' 

on both cluster members, then sending packets to the front-end IP address of the front-end Load balancer on port 8080, we see absolutely no activity

We have a support ticket running and our support partner are making noises about a problem with the cluster-vip not following to the correct place when a failover occurs. CP are investigating, but the test above shows absolutely no traffic, even when the cluster-vip is associated with the active member VM,

We have Logging configured on every rule in the Access Policy; the test connections are never logged

Any ideas?

thanks

0 Kudos
2 Replies
Robert_Ellis1
Contributor
‎2021-05-11 02:55 PM

 

fw ctl zdebug -m cluster cloud on the active member 

@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: sending reply to 168.63.129.16 on eth1 (2);
@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 16 ACK ;
@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@...

@;11565821;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 17 ACK FIN ;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 194 SYN ECE CWR ;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: sending reply to 168.63.129.16 on eth1 (2);
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 16 ACK ;

fw ctl zdebug -m cluster cloud on the standby member

@;5652146;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652172;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652197;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652223;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652236;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652288;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;

However when I check the metrics of the front-end load balancer, the DATA PATH AVAILABILITY is consitently carrying a value of 100.  Does this seem right?

0 Kudos
Vladimir
Champion
Champion
‎2021-05-11 06:34 PM

@Robert_Ellis1 , apologies if I am not seeing the whole picture here (simple diagram would be helpful), but is your load balanser supposed to forward inbound traffic coming in on 8080 to CP cluster members on 8080, or is the inbound traffic the load balancer expecting should be coming in on port 80?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events