This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2018-09-28 05:29 AM
Jump to solution

ClusterXL Addressing

I'm having trouble identifying if the ClusterXL ipv4 address in the general properties is supposed to match up a VIP  under network management.

The deployment I'm working on has the clusterXL IPv4 address different from any of the defined VIPs, and as such isn't tied to any interface, so it doesn't respond to pings and such. The self signed certificates reference this address as well, and I'm unsure if that's what's causing problems with Identity collector and agents.

Is this normal, or should the ClusterXL address be the same as one of the VIPs for a defined interface (i.e internal interface vip)?

Thanks

1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2018-09-28 06:20 AM
In response to NorthernNetGuy
Jump to solution

Okay, I see you issue better now. You are using an IP address for the cluster object that ends with .5. It does not belong to any NIC or VIP. Of course it won't work. Change it to .3

View solution in original post

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2018-09-28 05:44 AM
Jump to solution

It is a common practice to use the same IP subnet for both physical NIC IPs and VIP. However, you can also use one or more VIPs that belong to some other IP segments.

In such cases you have to make sure the physical machines have static host routes pointing VIP on the member's physical NIC IP address. If you did not do that, you will not be able to ping VIP, and some other networking issues are expected if VIP is being used to connect. 

0 Kudos
NorthernNetGuy
Advisor
‎2018-09-28 05:57 AM
In response to _Val_
Jump to solution

We do follow that practice. All our VIPs are in the same subnet as their physical interfaces.

I think it will be easier to show than explain:

The IPv4 under general properties is the IP address used as the  SAN ip address (in the generated self signed certificate in IPSec VPN). This address is not tied to any interface. I'm wondering if it should be changed to the VIP of the related subnet.

0 Kudos
_Val_
Admin
Admin
‎2018-09-28 06:20 AM
In response to NorthernNetGuy
Jump to solution

Okay, I see you issue better now. You are using an IP address for the cluster object that ends with .5. It does not belong to any NIC or VIP. Of course it won't work. Change it to .3

0 Kudos
NorthernNetGuy
Advisor
‎2018-09-28 06:24 AM
In response to _Val_
Jump to solution

As this is the Cluster object, should it not be the VIP (.3) and not the .7 that is for one of the physical gateways?

_Val_
Admin
Admin
‎2018-09-28 06:29 AM
In response to NorthernNetGuy
Jump to solution

Yes, my mistake, .3 of course. Use VIP for the cluster object. Use physical IP addresses for representing the cluster members.

0 Kudos
NorthernNetGuy
Advisor
‎2018-10-11 07:24 AM
In response to _Val_
Jump to solution

Just an Update. I've changed the addressing to match the VIP, renewed the L2TP certificates related to it, and everything is working smoothly.

_Val_
Admin
Admin
‎2018-10-12 12:01 AM
In response to NorthernNetGuy
Jump to solution

As it should. I am grad you have figured it out

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events