This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Contributor
‎2018-03-11 11:59 AM
Jump to solution

Sync IP Addresses-Checkpoint Clustering

Hi Experts

We've checkpoint cluster configured using High availability XL. When we issue cphaprob stat the cluster status is as expected but it's displaying the Sync IP addresses.Typically Firewall cluster members management IP addresses will be displayed.

Please assist what could be the reason for this. Below logs for reference.

[Expert@Firewall]# cphaprob stat

Cluster Mode: High Availability (Primary Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 192.168.252.253 100% Active  ----------->>>>
2 192.168.252.254 0% Standby        ----------------->>> Sync IP Address

0 Kudos
1 Solution

Accepted Solutions
AlekseiShelepov
Advisor
‎2018-03-12 03:02 AM
In response to SriNarasimha005
Jump to solution

sk61546 doesn't provide a solution for what you need, because it is not a problem, but a normal working state of cluster. This SK is about situations when IP addresses are from different networks in the output of cphaprob stat. If there is a different IP adress than of Sync interface, then it usually means that there is an issue with sync, that's what the SK says.

IP addresses during normal operation:

Member_A
Number     Unique Address  Assigned Load   State
1 (local)  172.16.1.1      X%              some_state
2          172.16.1.2      Y%              some_state
Member_B
Number     Unique Address  Assigned Load   State
1          172.16.1.1      X%              some_state
2 (local)  172.16.1.2      Y%              some_state

IP addresses during some problem in the cluster:

Member_A
Number     Unique Address  Assigned Load   State
1 (local)  192.168.55.1    X%              some_state
2          10.20.30.2      Y%              some_state
Member_B
Number     Unique Address  Assigned Load   State
1          172.16.1.1      X%              some_state
2 (local)  172.16.1.2      Y%              some_state

I am not sure why you consider Sync IP addresses and not management IP as a problem in cphaprob stat. It is a normal state. I've just quickly confirmed it on Gaia R77.20 cluster, on Splat R77 cluster, on IPSO R75.40 VRRP cluster, they all show IP addresses of Sync interfaces.

View solution in original post

4 Replies
AlekseiShelepov
Advisor
‎2018-03-11 12:46 PM
Jump to solution

sk61546:

The IP addresses, which appear in the output of 'cphaprob state' command next to each member are their unique IP addresses.

A "unique IP address" of a member is one of its IP addresses, chosen by an algorithm. This algorithm gives its decision after it considered special weights given to different parameters, such as : is this a trusted interface? is it connected? is it up? what is the interface number in kernel (see output of 'fw ctl iflist' command), etc.
When having an error, the state of the interfaces might change, and therefore the algorithm might choose a different IP address to be the unique IP address of the member, and this explains why you might see the unique IP addresses changed during or after an error occurred.

Unique IPs for cluster members can be viewed with cphaprob tablestat.

SriNarasimha005
Contributor
‎2018-03-11 02:13 PM
In response to AlekseiShelepov
Jump to solution

Thanks Aleksei for the infor. Is there any way we could change it manually to Firewall Management IP addresses.

And will it create any issue during Failover. Please assist as Advance access is required to check in checkpoint Support center for sk61546. And it's mentioned as below. 

Cause

This behaviour is a part of clustering mechanism. If Cluster Control Protocol (CCP ) packets are not sent/received correctly on the Sync interface, the clustering mechanism might choose one of the other cluster interfaces.

*****

But i see Sync packets are sent and received and logs are captured using the command fw ctl pstat.


Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 2256615618, retransmitted : 260178, retrans reqs : 42398, acks : 4163909
Sync packets received:
total : 108420891, were queued : 90356, dropped by net : 59118
retrans reqs : 170300, received 3771056 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 26747
Callback statistics: handled 3679290 cb, average delay : 1, max delay : 112

0 Kudos
AlekseiShelepov
Advisor
‎2018-03-12 03:02 AM
In response to SriNarasimha005
Jump to solution

sk61546 doesn't provide a solution for what you need, because it is not a problem, but a normal working state of cluster. This SK is about situations when IP addresses are from different networks in the output of cphaprob stat. If there is a different IP adress than of Sync interface, then it usually means that there is an issue with sync, that's what the SK says.

IP addresses during normal operation:

Member_A
Number     Unique Address  Assigned Load   State
1 (local)  172.16.1.1      X%              some_state
2          172.16.1.2      Y%              some_state
Member_B
Number     Unique Address  Assigned Load   State
1          172.16.1.1      X%              some_state
2 (local)  172.16.1.2      Y%              some_state

IP addresses during some problem in the cluster:

Member_A
Number     Unique Address  Assigned Load   State
1 (local)  192.168.55.1    X%              some_state
2          10.20.30.2      Y%              some_state
Member_B
Number     Unique Address  Assigned Load   State
1          172.16.1.1      X%              some_state
2 (local)  172.16.1.2      Y%              some_state

I am not sure why you consider Sync IP addresses and not management IP as a problem in cphaprob stat. It is a normal state. I've just quickly confirmed it on Gaia R77.20 cluster, on Splat R77 cluster, on IPSO R75.40 VRRP cluster, they all show IP addresses of Sync interfaces.

Vladimir
Champion
Champion
‎2018-03-11 01:25 PM
Jump to solution

This is as it should be: The IP addresses of ClusterXL members in the output of 'cphaprob stat' command differ from... 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events