This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader
yesterday

Maestro dual site, dual MHO - questions

All systems R81.20 Take 98.

I'm looking at a Maestro setup configured as multi-site with direct connections between MHO (Sync-int, sync-ext) and dual MHO.

All connections are up and the MHO are configured as site 1, 2, id 1, id 2 per site.

Next, we have a VSX security group with Force SGM connected on the same ports on MHO1_1 and MHO1_2 on site 1, and MHO2_1 and MHO2_2 on site 2.

The SG is created and works.

According to the network integrator (outside my control and area of visibility), both sites have perfect replication in terms of L1/L2, since the SG work, this makes sense.

Site 1 Site 2
MHO1_1 MHO2_1
MHO1_2 MHO2_2
Force with uplink to each MHO Force with uplink to each MHO

 

The administration guides were followed to create the security group, everything was done on 1_1 and the 2 sites appear in the MHO configuration.

We get an active/active system, VS0 created as singly VSX gateway with SG IP.

Now the issue are as follows:

On the 2nd site MHO, orchd/asg commands stall or don't produce output. Sometimes a command like "orchd stat" on the MHO or asg monitor will work then on another run in the same session will stall and hang.

SSH to MHO site 2 works but not HTTPS.

If we failover the SG to site 2, we get the same scenario with unreliable SSH output and policy install on VS0 fails with SSL errors in the policy installation output.

I don't have other experience with dual site so I can't compare. The network should be fine, so I'm wondering if there are extra steps or something I would have missed in the process which could make sense here.

As far as I know, we followed all administration guides and relevant SK.

0 Kudos
7 Replies
emmap
Employee
Employee
yesterday

Without being able to really understand the layer 1 and layer 2 setup it's hard to say, but it seems like there's something going wrong with the site_sync stuff. How're the MHOs directly connected between sites? Do you have a sufficiently anonymised diagram you can share?

0 Kudos
AkosBakos
Leader Leader
Leader
2 hours ago

  • What were the steps of creating the secondary site?
  • asg stat -v shows the second site (MHO and SGMs)?
  • Layer4 distribution mode is enabled or disabled?
----------------
\m/_(>_<)_\m/
0 Kudos
Alex-
Leader Leader
Leader
an hour ago
In response to AkosBakos

@emmap Basically what is described in the multisite setup with direct connection: https://sc1.checkpoint.com/documents/Appliances/GSG_Maestro/EN/Topics/Connecting-Cables-for-Dual-Sit...

Except one SGM per site. Network provider provides virtualised "dark fibre" and are adamant their configuration is fine.

At least it looks like, the MHO don't complain of not seeing each other.

@AkosBakos Followed the admin guide, L4 distribution is off.

--------------------------------------------------------------------------------
| VSX System Status - Maestro                                                  |
--------------------------------------------------------------------------------
| Chassis Mode                | Active Up                                      |
| Up time                     | 5 days, 19:39:31 hours                         |
| SGMs                        | 2 / 2                                          |
| Virtual Systems             | 1                                              |
| Version                     | R81.20 (Build Number 722)                      |
--------------------------------------------------------------------------------
| VS ID:  0                     VS Name:  <removed>                       |
--------------------------------------------------------------------------------
| SGM ID             Chassis 1                          Chassis 2              |
|                    ACTIVE                             STANDBY                |
--------------------------------------------------------------------------------
|  1                   ACTIVE                             ACTIVE               |
--------------------------------------------------------------------------------
| Chassis Parameters                                                           |
--------------------------------------------------------------------------------
| Unit        |        Chassis 1          |        Chassis 2          | Weight |
--------------------------------------------------------------------------------
| SGMs        |          1 / 1            |          1 / 1            |   6    |
| Ports       |                           |                           |        |
|   Standard  |          0 / 0            |          0 / 0            |  11    |
|   Bond      |          0 / 0            |          0 / 0            |  11    |
|   Other     |          0 / 0            |          0 / 0            |   6    |
| Sensors     |                           |                           |        |
|   SSMs      |          2 / 2            |          2 / 2            |  11    |
|             |                           |                           |        |
| Grade       |         28 / 28           |         28 / 28           |   -    |
--------------------------------------------------------------------------------
| Minimum grade gap for chassis failover:                               11     |
| Synchronization                                                              |
|     Sync to Active chassis:    Enabled                                       |
|     Sync to Standby chassis:   Enabled                                       |
--------------------------------------------------------------------------------
| Chassis HA mode:              Active Up                                      |
--------------------------------------------------------------------------------

 

0 Kudos
AkosBakos
Leader Leader
Leader
an hour ago
In response to Alex-

Hi @Alex- 

Just for sure, the md5sum -s of the SGMs are the same?

show smo image md5sum

And the #lldpctl command shows the remote site on both site, right?

A

----------------
\m/_(>_<)_\m/
0 Kudos
Alex-
Leader Leader
Leader
57m ago
In response to AkosBakos

Yes and yes. Still checking the network side of all of this, as the MHO on the second site were showing that behaviour even when no SG was configured.

0 Kudos
AkosBakos
Leader Leader
Leader
41m ago
In response to Alex-

Hi @Alex- 

Maybe you have already checked the settings according to https://support.checkpoint.com/results/sk/sk168092

The QinQ was configured correctly?

Connectivity between Orchestrators on different sites:

  • From MHO 1_1 ping MHO 2_1: ping 203.0.113.15
  • From MHO 1_2 ping MHO 2_2: ping 203.0.113.16

If there is no ping, examine VLAN IDs 3951 and 3952.

Connectivity between Orchestrators on the same site:

  • From MHO 1_1 ping MHO 1_2: ping 192.0.2.2
  • From MHO 2_1 ping MHO 2_2: ping 192.0.2.16

If there is no ping, examine the Internal Sync cable between Orchestrators on the same site.

Connectivity between Security Group Members (appliances):

  • From SGM 1_1 ping SGM 2_1 on the sync network: ping 192.0.2.15

If there is no ping, examine VLAN IDs 3600 and 3601.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Alex-
Leader Leader
Leader
15m ago
In response to AkosBakos

Yes these are all peachy. We're still investigation with the relevant parties.

Thanks for your feedback. 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events