This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ABosinceanu
Contributor
‎2022-06-21 07:00 AM

1600 Cluster sync issues

Hi All, 

We have a newly delivered(May 2022) 2x1600 Spark R80.20.35 appliances that have been configured as a cluster.

My colleague that did the configuration is long time on Check Point and I have no doubt that the configuration was done as usual - to work :).

After the configuration was done, we observed that the cluster members do not sync.

Have anyone encountered that recently?

If I should post more info about the issue, please let me know and I will anonymize mentioned configs and I will post it here - but I belive that this is not related to configs or ISP.

Best wishes, 

Andrei

Andrei Bosinceanu
https://www.linkedin.com/in/andrei-bosinceanu-34582358/
8 Replies
Sorin_Gogean
Advisor
‎2022-06-21 07:15 AM

hey,

 

we need more details on what/how is configured, as if they don't sync then, do they report smth wrong in SmartConsole ?

(as I've seen they support ClusterXL)

Usually the 15K series I use have a SYNC interface that you set it as synchronization and is used specifically for that, but on 1600 I don't see that, so most likely you define some of the LAN ports to be used for sync.

 

Ty,

PS: from here

Configuring High Availability

In the Device > High Availability page you can create a cluster of two appliances for high availability.

Note - You cannot create a cluster when you have a switch or bridge defined in your network settings on the appliance. If necessary, change network settings in the Device > Local Network page.

After you define a cluster, you can select to Enable or Disable the cluster.

The page shows the configured interfaces for monitoring or high availability enabled in a table, where you can edit them.

Interface options in cluster mode:

  • High Availability - Two physical interfaces in 2 cluster members act as a single interface toward the network, using a single virtual IP address.

    Note - In this cluster solution, each interface has a local IP address in addition to the shared single virtual IP address.

  • Sync - Two physical interfaces must be defined as Sync interfaces and connected between the members to allow proper failover as needed. The default is to use LAN2/Sync physical port.

  • Non HA (also called private) - The physical interface in this member does not participate in High Availability functions.

  • Monitored (also called private monitored) - The physical interface in this member is not coupled with another interface on the other member as in High Availability interface mode. The interface's status is still monitored, and if a problem occurs the member will fail over to the second one.
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-21 07:45 AM
In response to Sorin_Gogean

You cite from Locally Managed SMBs R80.20.20 manual but ask if they report smth wrong in SmartConsole - we should better know the deployment before guessing...

Concerning the Sync Port: Both 1600 + 1800 have port 2 named as sync, 1600 with 1GbE and 1800 with 2,5 GbE.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-21 07:33 AM

1600 SMB appliances HA cluster are much different to GAiA clusters - you only configure the active node in detail, and after selecting the second node in FTW as standby HA node, all config will be synchronized from active node. You did not write about it, but i assume you have a locally managed SMB cluster, so this applies: sk121096: How to configure a cluster between locally managed SMB appliances

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-06-21 07:36 AM

Depending on the deployment scenario there is R80.20.40 available now with some clustering enhancements.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-22 12:24 AM
In response to Chris_Atkinson

I would suggest to upgrade to R80.20.40 asap !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-22 07:31 AM

Centrally or locally managed SMBs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
ABosinceanu
Contributor
‎2022-06-24 05:16 AM
In response to G_W_Albrecht

Locally managed.

Update:

1. We performed upgrade to R80.20.40 and the issue persisted.

2. We went back to R80.20.35 and recreated the cluster from scratch + adding specific policies to allow traffic between cluster members and the sync issue was solved. That specific policies where there from the first time, so that was not the issue.

I have no clue what was that. The procedure of setup was the same in both Cluster setup configurations...same order for steps.

 

Andrei Bosinceanu
https://www.linkedin.com/in/andrei-bosinceanu-34582358/
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-27 04:39 AM
In response to ABosinceanu

As long as you do follow sk121096How to configure a cluster between locally managed SMB appliances sync should work. Afaik specific policies to allow traffic between cluster members are only needed in Strict Mode.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events