This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex1994
Explorer
‎2024-06-19 03:29 AM

Cluster XL Secondary Gateway Cannot Access to the Internet or Gateway

Hi Team

What is the reason to secondary gateway unable to ping, internet or it's default gateway when it is in Standby Mode?

Note

Once the gateway become primary, it started to reach to internet, but then the other gateway lost the internet reachability.

Thank You

0 Kudos
20 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-06-19 04:34 AM

We will need some further information about your configuration to understand the possible causes.

Do you use a configuration such as the following?

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

CCSM R77/R80/ELITE
0 Kudos
Alex1994
Explorer
‎2024-06-19 04:42 AM
In response to Chris_Atkinson

This is not the Solution. Please find bellow information.

 

Primary Gateway
eth0 - 172.16.200.251/24 - Internal
eth1 - 172.16.254.1/30 - Sync
eth2 - 10.200.10.101/24
eth3 - 10.200.20.101/24

Secondary GW
eth0 - 172.16.200.252/24 - Internal
eth1 - 172.16.254.2/30 - Sync
eth2 - 10.200.10.102/24 - External
eth3 - 10.200.20.102/24 - External

Cluster IP
eth0 - 172.16.200.254/24 - Internal
eth1 - N/A - Sync
eth2 - 10.200.10.100/24
eth3 - 10.200.20.100/24

After the cluster setup, the secondary gateway was unable to ping to its wan gateways neither 10.200.10.254 nor 10.200.20.254. This setup is implemented in a Virtual Environment and both gateways and management server contain the R81.10 firmware release. 

0 Kudos
Alex1994
Explorer
‎2024-06-19 04:46 AM
In response to Chris_Atkinson

This is not the scenario. I have share the information.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-06-19 06:24 AM
In response to Alex1994

Is this deployed in VMware and what specific  rules are defined in the policy to allow the traffic?

What do you see in packet capture?

CCSM R77/R80/ELITE
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-06-19 04:36 AM

This one could help:

https://support.checkpoint.com/results/sk/sk43807

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Alex1994
Explorer
‎2024-06-19 04:45 AM
In response to Lesley

This was followed but no luck.

0 Kudos
Alex1994
Explorer
‎2024-06-19 06:36 AM
In response to the_rock

Alredy followed the steps.

0 Kudos
the_rock
Legend
Legend
‎2024-06-19 07:11 AM
In response to Alex1994

Can you send outputs of commands I sent in the other post?

Andy

0 Kudos
Alex1994
Explorer
‎2024-06-19 09:41 PM
In response to the_rock

Hi @the_rock 

Please find the output here.

[Expert@CP-GW-1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 172.16.200.251 0% STANDBY CP-GW-1
2 172.16.200.252 100% ACTIVE CP-GW-2


Active PNOTEs: None

Last member state change event:
Event Code: CLUS-114802
State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 2)
Event time: Tue Jun 18 17:17:32 2024

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Jun 18 17:02:49 2024

Cluster failover count:
Failover counter: 3
Time of counter reset: Tue Jun 18 16:49:29 2024 (reboot)

 

[Expert@CP-GW-1:0]# tracepath 8.8.8.8
1?: [LOCALHOST] pmtu 1500
1: no reply
2: no reply
3: no reply

 

[Expert@CP-GW-1:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface

[Expert@CP-GW-1:0]# ip r g 8.8.8.8
8.8.8.8 via 10.200.10.254 dev eth2 src 10.200.10.101

 

Thank You

0 Kudos
just13pro
Collaborator
‎2024-06-19 10:55 PM
In response to Alex1994

run fw ctl zdebug + drop | grep 8.8.8.8 on both cluster member when you ping 8.8.8.8 and see if the output shows anything related to drop packet

0 Kudos
Alex1994
Explorer
‎2024-06-20 01:14 AM
In response to just13pro

Hi @just13pro 

Thanks for the reply. 

Issue was resolved after adding Implicit Deny Rule.

0 Kudos
the_rock
Legend
Legend
‎2024-06-20 03:47 AM
In response to Alex1994

That does not make much sense since implicit deny rule is always there out of the box on EVERY vendors' firewall. By the way, in the response to my commands yesterday, you dont show any routes on the firewall either.

Andy

0 Kudos
Alex1994
Explorer
‎2024-06-19 12:09 AM
In response to Alex1994

Hi Checkmates

I am using a ClusterXL setup in my Lab environment with R81.10. Since enabled the Cluster setup, the secondary gateway is able to ping nowhere. But fortunately, from the WAN Interface, I have the access to the secondary gateway. I could find a similar situation in following SK Article.

Anti-Virus / URL Filtering / IPS update fails on the Standby member of ClusterXL in High Availabilit...

Followed it and all the configurations were applied, but that was not the solution and still it is being experienced the same situation. 

There was a similar post in Solved: Standby Cluster Member cannot reach the Internet - Check Point CheckMates also, but this solution is also not worked for me.

Anyone can help me out on this?

Thank You

Nisal Tharida

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-19 04:14 PM
In response to Alex1994

Have you done a tcpdump to see what traffic is going in/out of the gateway?

0 Kudos
Alex1994
Explorer
‎2024-06-19 09:37 PM
In response to PhoneBoy

Hi @PhoneBoy 

Please find the output.

[Expert@CP-GW-1:0]# tcpdump -i any host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:59:18.537686 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 127, length 64
09:59:18.538140 IP 10.200.10.101.35462 > 8.8.8.8.domain: 27549+ PTR? 8.8.8.8.in-addr.arpa. (38)
09:59:19.537692 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 128, length 64
09:59:20.537713 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 129, length 64
09:59:21.537685 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 130, length 64
09:59:22.537681 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 131, length 64
09:59:23.537673 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 132, length 64
09:59:24.537674 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 133, length 64
09:59:25.537765 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 134, length 64
09:59:26.537695 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 135, length 64
09:59:27.537701 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 136, length 64
09:59:28.537756 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 137, length 64

I have initiated a ping traffic from the GW device.

0 Kudos
Alex1994
Explorer
‎2024-06-20 01:15 AM
In response to PhoneBoy

Hi @PhoneBoy 

Issue was resolved after adding Implicit Dely rule

0 Kudos
just13pro
Collaborator
‎2024-06-20 07:21 AM
In response to Alex1994

Hi,

Are you able to share how you add the implicit deny rule?

Alex1994
Explorer
‎2024-06-24 04:51 AM
In response to just13pro

At the bottom of the rule base,
src: any
dst: any
action: drop

0 Kudos
the_rock
Legend
Legend
‎2024-06-24 06:09 AM
In response to Alex1994

It still makes no sense, as that rule is by DEFAULT.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top