This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andy_N
Contributor
‎2019-03-26 05:00 AM

VLAN HA Cluster error

We currently have a Check Point Cluster HA mode.

We made test Vlan in GAIA on both nodes (see pics) and assign virt IP in SmartConsole – after it one Cluster node change state to down. What do we wrong?NetworkNetworkErrorErrorNode 1Node 1Node 2Node 2ErrorError

11 Replies
Jerry
Mentor
Mentor
‎2019-03-26 05:04 AM

misconfig and/or wrong design of vlan's for SYNC as well as vlan's for State setup. Please provide cphaprob -a if and cphaprob stat from your shell should you need more details of why things went wrong.
Jerry
0 Kudos
Andy_N
Contributor
‎2019-03-26 05:15 AM
In response to Jerry

Hi, Jerry

cphaprob -a if 

equired interfaces: 5
Required secured interfaces: 1

eth1 UP non sync(non secured), multicast
eth2 UP non sync(non secured), multicast
eth4 UP non sync(non secured), multicast
eth5 UP sync(secured), multicast
Mgmt Disconnected non sync(non secured), multicast
eth3 DOWN (86.3 secs) non sync(non secured), multicast (eth3.2 )

Virtual cluster interfaces: 5

eth1 87.
eth2 192.
eth3 192.
eth4 198.
eth3.2 10.10.2.254

 

cphaprob stat
Number Unique Address Assigned Load State

1 (local) 3.3.3.1 0% Down
2 3.3.3.2 100% Active Attention

Local member is in current state since Tue Mar 26 15:10:17 2019

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-03-26 06:15 AM
In response to Andy_N

Does basic connectivity actually work on interface eth3.2?  Is there at least one other pingable IP address on that network other than the cluster members themselves?

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Andy_N
Contributor
‎2019-03-26 06:19 AM
In response to Timothy_Hall

Hi , Timothy_Hall

 

Yes, there is - but no ping request ...

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-26 07:06 AM
In response to Andy_N

as an example I can show you how it should looks like:

Problem Notification table
------------------------------------------------
|Name |Status|Priority|Verified|Descr|
------------------------------------------------
|Synchronization|OK | 0| 7394| |
|Filter |OK | 0| 7393| |
|routed |OK | 0| 7392| |
|cphad |OK | 0| 352513| |
|fwd |OK | 0| 352507| |
------------------------------------------------

as well as that one:

Product name: High Availability
Major version: 6
Minor version: 0
Service pack: 4
Version string: N/A
Status code: 0
Status short: OK
Status long: Refer to the Notification and Interfaces tables for information about the problem
HA installed: 1
Working mode: High Availability (Active Up)
HA protocol version: 2
HA started: yes
HA state: active
HA identifier: 1

---

compare to yours after doing
cpstat ha -f all | grep -v eth

and see you match the issues.
Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-26 07:02 AM
In response to Andy_N

your SYNC int's are 3.3.3.1 and 2 - are they really eth5 ? have you checked the subnet mask of eth5?
if PRI is 3.3.31 and SEC is 3.3.3.2 I presume tere isn't any VIP on that INT done by the object Network Management section?

ps. you need more than 1 Sync interface for the ClusterXL to work and I guess when eth3 DOWN and NON-SYNC is that one part of the Cluster is only DOWN another is UP am I correct?

I guess the whole ClusterXL setup seem little bit twisted here to be honest.

what happends when you do cphaprob syncstat / ldstat? paste it here pls.
Jerry
0 Kudos
Andy_N
Contributor
‎2019-03-26 10:18 PM
In response to Jerry

@Jerry wrote:
your SYNC int's are 3.3.3.1 and 2 - are they really eth5 ? have you checked the subnet mask of eth5?
if PRI is 3.3.31 and SEC is 3.3.3.2 I presume tere isn't any VIP on that INT done by the object Network Management section?

ps. you need more than 1 Sync interface for the ClusterXL to work and I guess when eth3 DOWN and NON-SYNC is that one part of the Cluster is only DOWN another is UP am I correct?

I guess the whole ClusterXL setup seem little bit twisted here to be honest.

what happends when you do cphaprob syncstat / ldstat? paste it here pls.

Jerry, yes 3.3.3.1 and 3.3.3.2 realy eth5.

Our Cluster HA is work well untill we not make a VLAN.

After VLAN was created - one node is down and another is UP - you are right.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-26 07:04 AM
In response to Andy_N

also please show us

cphaprob -l list
cpstat ha -f all | grep -v eth ----> (mask IP's first) the important part is:
"Problem Notification table"

Thanks.
Jerry
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-03-26 01:36 PM
In response to Jerry

You have assigned an IP address for physical interface eth3. You are trying to add new VLAN on eth3? What is the point here? Such a configuration is not allowed.

Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePl...

Kind regards,
Jozko Mrkvicka
Andy_N
Contributor
‎2019-03-26 10:21 PM
In response to JozkoMrkvicka

Hi, Jozko

 

Today I'll try your solution to do.

 

I'll back after trying.

Thanks

0 Kudos
Andy_N
Contributor
‎2019-03-27 10:53 PM
In response to Andy_N

So I'm back.

We've resolved our VLAN issue.

The problem was in Cisco port configuration. In our case – ports were configured as NATIVE VLAN mode. After we changed port mode to Hybrid – all works fine.

According sk88700 – no matter have you  assigned an IP address for physical interface or not – it works fine if VLAN port on network equipment configured properly .

Thanks everyone for help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    In-Person

    Fri 12 Jun 2026 @ 09:00 AM (CEST)

    Netzwerk- & Cloud-Workshop: Wien
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events