This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
EugeneK
Explorer
‎2023-07-27 08:56 AM
Jump to solution

Maestro dual site failover

Hello

Maestro dual site scenario, Security Group Active/Standby mode, Active security gateways on one site, Standby on other site.

How works failover?

What will happen if interconnect link is down between sites? 

What will happen after the link is up?

 

Regards

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2023-08-02 12:28 AM
Jump to solution

Failover occurs when the active site has degraded sufficiently to trigger a failover, according to the weighting seen in 'asg stat'. By default, if you lose a bond on the active site, it'll fail over. If you lose an orchestrator, it'll fail over. If you lose one SGM it will not fail over, but if you lose two it will. 

Failover functionally works like any Check Point A/S cluster. Connections are maintained and continued on the other site.

If the site sync link goes down the two sites will try to discover each other via the uplinks. They will maintain the current cluster state until sync is restored. Once the link is back up, sync is restored and you're back to normal. 

View solution in original post

0 Kudos
5 Replies
emmap
Employee
Employee
‎2023-08-02 12:28 AM
Jump to solution

Failover occurs when the active site has degraded sufficiently to trigger a failover, according to the weighting seen in 'asg stat'. By default, if you lose a bond on the active site, it'll fail over. If you lose an orchestrator, it'll fail over. If you lose one SGM it will not fail over, but if you lose two it will. 

Failover functionally works like any Check Point A/S cluster. Connections are maintained and continued on the other site.

If the site sync link goes down the two sites will try to discover each other via the uplinks. They will maintain the current cluster state until sync is restored. Once the link is back up, sync is restored and you're back to normal. 

0 Kudos
Marco32
Contributor
‎2023-10-17 06:05 AM
In response to emmap
Jump to solution

Hi there,

I have some doubt about VSLS failover over Maestro dual site.

 

I have configured a security group with VSX and set it as VSLS "set chassis high-availability mode 3", I have some VS active on Chassis 1 and some other active on Chassis 2.

Running "show cluster members interfaces all" from a VS I see the following output:

CCP mode: Automatic
Required interfaces: 1
Required secured interfaces: 0

Interface Name: Status:

Sync (S) UP
bond1.200 (LS) DOWN
bond2.100 (LS) DOWN

 

Running "cphaprob stat" I see:

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 50% ACTIVE admin-ch01-01
2 192.0.2.2 50% ACTIVE admin-ch01-02
15 192.0.2.15 50% ACTIVE admin-ch02-01
16 192.0.2.16 50% ACTIVE admin-ch02-02

 

Actually I have all link down on both sites for maintenance but I see that VS is Active because is required only 1 interface on cluster.

Is this correct? Why default configuration have only 1 interface required even if I have 6 interfaces presents?

 

With VSLS configuration if all the slave of a bond interface on chassis 1 (where VS is active) goes down, VS have to failover over chassis 2. Is this correct?

 

Regards

0 Kudos
Jochen_Hoechner
Employee
Employee
‎2023-10-17 07:52 AM
In response to Marco32
Jump to solution

Hi,

In general, all SGM modules are active. The state in 'cphaprob' is OK. As all interfaces on both sites are down, the chassis grade is equal. Once the interfaces on one site become up, the chassis grade will change and you will see one site down.

The correct tool for monitoring the status in a maestro vsls environment is 'asg monitor'.
If you use 'asg monitor vs all' you see status of all virtual systems across both sites (chassis1, chassis2).

Please check in addition: 

asg_bond (if you use bonded interfaces)
- per VS the 'asg if' command

0 Kudos
Marco32
Contributor
‎2023-10-18 02:49 AM
In response to Jochen_Hoechner
Jump to solution

Hi Jochen, thanks for your support.

So I have to plug the cable to see different status in cphaprob. For VS that run on Chassis1 will I see ACTIVE for the SGM on site 1 and some different info for SGM on site 2?

 

Locking with "asg_bond" I see that bonds are in Failed because eth of both site are now DOWN and "asg if" teel me that every interface (ex. bond1.200 and so on) are in down for both chassis

 

What about the output of "show cluster members interfaces all"? Why I see "Required interfaces: 1" even if I have several interfaces? Shouldn't I have multiple interfaces here?

0 Kudos
emmap
Employee
Employee
‎2023-10-25 01:31 AM
In response to Marco32
Jump to solution

Maestro clustering and regular clustering work differently. We don't do the same interface monitoring in Maestro like we do in regular CXL, hence you are not getting meaningful output from the commands you are running. Please monitor Maestro clustering with asg stat commands (asg stat -v, asg stat vs all, asg stat vs).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    Top