cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Issue with Checkpoint cluster

Dear Team,

I am facing connectivity issue for one of my server. When I point Cluster IP as gateway, I am not able to reach the device but when I configure individual cluster member as gateway, It is working perfectly fine. What could be the issue. My Checkpoint cluster is in HA mode.

0 Kudos
7 Replies

Re: Issue with Checkpoint cluster

Ravindra,
Can you please share with us which Gaia version and JHG are you running?

Is this happening only with this server?
Please use the fw monitor and fw ctl zdebug drop | grep ip (ie: fw ctl zdebug drop | grep 10.0.0.1) to check if there are any drops or if the traffic is reaching or leaving the firewall.
____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos

Re: Issue with Checkpoint cluster

It R80.10 with latest hotfix.
Traffic is reaching for sure when I point it to individual cluster member as gateway. But It didn't not work I use cluster IP as gateway.
0 Kudos
Highlighted

Re: Issue with Checkpoint cluster

Check with cphaprob stat
which of the 2 members is the active member.
Then you can use cphaprob -a if
to check the interfaces that are active.
Regards, Maarten
0 Kudos

Re: Issue with Checkpoint cluster

Hello Ravindra,

In addition to what has already been suggested, could you please give us some background information on the setup of the cluster? In other words, did you configure a cluster right from the start (while going through the first time configuration wizard) or did you start with a single gateway and then tried to configure it as a cluster with another gateway?

Many thanks.

0 Kudos

Re: Issue with Checkpoint cluster

Hi Nick,
This cluster is already working since last 2 year. All other devices in the same segment has gateway as cluster IP and they are working fine. Only specific to these 2 new server I am facing issue.

Thanks.
0 Kudos

Re: Issue with Checkpoint cluster

Have you looked at the ARP table for these servers? When you try to ping the VIP, do you see the MAC for that IP? Have you enabled vMAC on the cluster object? If not please try this, sometimes an OS could be to intelligent and say: hey there are 2 IP's with the same MAC, I will not allow that...
Regards, Maarten
0 Kudos

Re: Issue with Checkpoint cluster

I got one observation. On my server, I am getting MAC of standby firewall again cluster IP. Why is this happening, I should get active firewall MAC against cluster IP, correct ? We are not using vMAC on cluster.
0 Kudos