This is not the Solution. Please find bellow information.

Primary Gateway
eth0 - 172.16.200.251/24 - Internal
eth1 - 172.16.254.1/30 - Sync
eth2 - 10.200.10.101/24
eth3 - 10.200.20.101/24

Secondary GW
eth0 - 172.16.200.252/24 - Internal
eth1 - 172.16.254.2/30 - Sync
eth2 - 10.200.10.102/24 - External
eth3 - 10.200.20.102/24 - External

Cluster IP
eth0 - 172.16.200.254/24 - Internal
eth1 - N/A - Sync
eth2 - 10.200.10.100/24
eth3 - 10.200.20.100/24

After the cluster setup, the secondary gateway was unable to ping to its wan gateways neither 10.200.10.254 nor 10.200.20.254. This setup is implemented in a Virtual Environment and both gateways and management server contain the R81.10 firmware release. 

This is not the scenario. I have share the information.

Is this deployed in VMware and what specific  rules are defined in the policy to allow the traffic?

What do you see in packet capture?

This was followed but no luck.

I know it may seem trivial, but make sure this is allowed.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Standby-Cluster-Member-cannot-reach-the-Intern...

Alredy followed the steps.

Can you send outputs of commands I sent in the other post?

Andy

Hi @the_rock 

Please find the output here.

[Expert@CP-GW-1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 172.16.200.251 0% STANDBY CP-GW-1
2 172.16.200.252 100% ACTIVE CP-GW-2

Active PNOTEs: None

Last member state change event:
Event Code: CLUS-114802
State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 2)
Event time: Tue Jun 18 17:17:32 2024

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Jun 18 17:02:49 2024

Cluster failover count:
Failover counter: 3
Time of counter reset: Tue Jun 18 16:49:29 2024 (reboot)

[Expert@CP-GW-1:0]# tracepath 8.8.8.8
1?: [LOCALHOST] pmtu 1500
1: no reply
2: no reply
3: no reply

[Expert@CP-GW-1:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface

[Expert@CP-GW-1:0]# ip r g 8.8.8.8
8.8.8.8 via 10.200.10.254 dev eth2 src 10.200.10.101

Thank You

run fw ctl zdebug + drop | grep 8.8.8.8 on both cluster member when you ping 8.8.8.8 and see if the output shows anything related to drop packet

Hi @just13pro 

Thanks for the reply. 

Issue was resolved after adding Implicit Deny Rule.

That does not make much sense since implicit deny rule is always there out of the box on EVERY vendors' firewall. By the way, in the response to my commands yesterday, you dont show any routes on the firewall either.

Andy

Hi Checkmates

I am using a ClusterXL setup in my Lab environment with R81.10. Since enabled the Cluster setup, the secondary gateway is able to ping nowhere. But fortunately, from the WAN Interface, I have the access to the secondary gateway. I could find a similar situation in following SK Article.

Anti-Virus / URL Filtering / IPS update fails on the Standby member of ClusterXL in High Availabilit...

Followed it and all the configurations were applied, but that was not the solution and still it is being experienced the same situation. 

There was a similar post in Solved: Standby Cluster Member cannot reach the Internet - Check Point CheckMates also, but this solution is also not worked for me.

Anyone can help me out on this?

Thank You

Nisal Tharida

Have you done a tcpdump to see what traffic is going in/out of the gateway?

Hi @PhoneBoy 

Please find the output.

[Expert@CP-GW-1:0]# tcpdump -i any host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:59:18.537686 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 127, length 64
09:59:18.538140 IP 10.200.10.101.35462 > 8.8.8.8.domain: 27549+ PTR? 8.8.8.8.in-addr.arpa. (38)
09:59:19.537692 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 128, length 64
09:59:20.537713 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 129, length 64
09:59:21.537685 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 130, length 64
09:59:22.537681 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 131, length 64
09:59:23.537673 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 132, length 64
09:59:24.537674 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 133, length 64
09:59:25.537765 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 134, length 64
09:59:26.537695 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 135, length 64
09:59:27.537701 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 136, length 64
09:59:28.537756 IP 10.200.10.101 > 8.8.8.8: ICMP echo request, id 37122, seq 137, length 64

I have initiated a ping traffic from the GW device.

Hi @PhoneBoy 

Issue was resolved after adding Implicit Dely rule

Hi,

Are you able to share how you add the implicit deny rule?

At the bottom of the rule base,
src: any
dst: any
action: drop

It still makes no sense, as that rule is by DEFAULT.

Andy