This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Garbo
Explorer
Explorer
‎2021-08-13 06:57 AM

Maestro Dual Site Dual Orchestrator Deployment - Site2 SGMs LOST

Hello CheckMates,

We have a Maestro Dual Site / Dual Orchestrator (2 MHOs - 2 MHOs) new deployment with R80.20SP (MHO) and R80.30SP (SGM) software versions. Only 1 SG is configured and installed as VSX/VSLS.
Site1 looks fine, Chassis 1 ACTIVE and SGMs are both ACTIVE as well, but Site2 Chassis 2 DOWN and SGMs are both LOST 😞
The only one SG consists of the Site1 SGMs currently, but Site2 SGMs are not in the group and not even FTW ran on them. Cabling and port types and amounts and IDs and ssm_sync and site_sync and magg are okay in my opinion.

As a reference sk168092 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Scenario #2 is the relevant deployment.

At the bottom of the website:
Testing Dual-Site infrastructure
Connectivity between Orchestrators at different sites:

From MHO1_1 ping MHO 2_1: ping 203.0.113.15
From MHO1_2 ping MHO 2_2: ping 203.0.113.16
If there is no ping, check VLANs 3951 and 3952 accordingly

Connectivity between Orchestrators at the same site:
From MHO1_1 ping MHO1_2: ping 192.0.2.2
From MHO2_1 ping MHO2_2: ping 192.0.2.16
If there is no ping, check the Sync cable between Orchestrators within the same site.

Connectivity between SGMs (appliances)
From SGM1_1 ping SGM2_1 on sync network: ping 192.0.2.15
If there is no ping, check VLANs 3600 and 3601.

All ICMP test are okay!

I detached all the Site2 SGMs from the SG and attached again, all appliances were restarted, but the issue is the same and I'm stucked at this point.
There is an open SR regarding this with more info shared, but no progress yet.

site_sync connected switch port config:
interface Ethernetx/xx
description site_sync
switchport
switchport mode dot1q-tunnel
switchport access vlan xx
spanning-tree bpdufilter enable
mtu 9216
storm-control broadcast level 2.00
storm-control action trap
no shutdown

Maestros, do you have any idea, good advice or what to check? 🙂

Thank you in advance!

0 Kudos
2 Replies
Fernando_Lopez
Contributor
‎2022-01-26 10:43 AM

Hello Garbo, than you for share switch's configuration. Can you share also the Inter-site link configuration?

MHO 1 <---> SW1 <-------Inter-site link------->SW2<--->MHO2

My ICMP test isn´t OK

Thank you!

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-01-26 03:07 PM
In response to Fernando_Lopez

Typically QinQ support is required on this link, which version are the MHO/SGMs in your deployment?

R81.10 provides some flexibility here that you may wish to discuss with TAC otherwise.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events