This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gurowar
Contributor
9 hours ago

Cluster Interface for VLAN

Good day all,

Hope everyone is ready for Thanksgiving!! I have a pair of 16200 FWs running R81.10 Jumbo Hotfix Take 156 in a HA configuration.

I have 2 sub-interfaces off of eth3-02:

eth3-02.1925

eth3-02.301

both are connected to a trunk port to my layer 3 switch which in turn has a vlan1925 that connects to the Metro-E.  What I am trying to do is vlan1925 is connected to a metro-E to 2 other locations and we are in the process of decomming one site called 1ND. So I thought all I would need to do is at the 1ND location I can just disconnect the cable of the metro-E and be done with it.  But when I did that I received an alert on the firewall

Alert: mail; OriginSicName: CN=FireWall01,O=CheckPointMgmt.omeda.local.oy6o8p; cluster_info: (ClusterXL) member 1 (192.168.255.253) is down (Interface Active Check on member 1 (192.168.255.253) detected a problem (eth3-02.1925 interface is down, 9 interfaces required, only 8 up).).; ProductName: VPN-1 & FireWall-1; ProductFamily: Network

 HeaderDateHour: 26Nov2024  9:35:34; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 98; Action: ctl; Origin: FireWall01; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=FireWall01,O=CheckPointMgmt.omeda.local.oy6o8p; cluster_info: (ClusterXL) member 2 (192.168.255.254) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network

 HeaderDateHour: 26Nov2024  9:35:34; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action: ctl; Origin: FireWall02; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=FireWall02,O=CheckPointMgmt.omeda.local.oy6o8p; cluster_info: (ClusterXL) member 2 (192.168.255.254) is down (Interface Active Check on member 2 (192.168.255.254) detected a problem (eth3-02.1925 interface is down, 9 interfaces required, only 8 up).).; ProductName: VPN-1 & FireWall-1; ProductFamily: Network

why would it say that the interface 1925 is down on the firewall when I disconnected the cable from 1ND which is 40 miles west? When I plugged it back in everything cleared.  Should I have disabled and remove the VLAN/IP address first from the 1ND location instead of just unplugging it?

diagram

FW ----eth3-02.1925  => Trunk port to layer 3 SW => Trunk port to Metro-E => Trunk Port 1ND VLAN1925

              eth3-02.301  

Thank you in advance!!!!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
8 hours ago

ClusterXL monitors the state of all interfaces on cluster members.
If one of the members loses access to one of their monitored interfaces...you'll get that message.
See also: https://support.checkpoint.com/results/sk/sk61323 

0 Kudos
gurowar
Contributor
8 hours ago
In response to PhoneBoy

So according to the SK61323 my set up is that it is monitoring both the high and low vlans.  I only have 2 vlans:

 

vlan302

vlan1925

[Expert@Firewall01:0]# fw ctl get int fwha_monitor_low_high_vlans
fwha_monitor_low_high_vlans = 1

so if I change it to 0 then only the lowest vlan will be monitored, in my case only vlan302.  So then I should be able to go to 1ND and unplug the cable and we should be good to go or am I reading this incorrectly?

 

0 Kudos
the_rock
Legend
Legend
3 hours ago
In response to gurowar

I believe if its set to 1, ONLY lowest and highest vlans are monitored. If its 0, then most likely just lowest. To answer your question, yes, thats my understanding as well, you should be good.

Andy

0 Kudos
emmap
Employee
Employee
28m ago
In response to gurowar

If the VLAN and switching layer is operating properly then the two cluster members should always see each other on the VLAN and that will satisfy the monitoring requirements. If the VLAN itself is disappearing from the trunk then yes, either change the monitoring or remove the interface (or set it to private/non-monitored in the topology section in the cluster object in smartconsole)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events