Solved: Re: Cluster of two SMB 1900

Exonix · ‎2025-04-10

Hello,

I've configured a cluster of two SMB 1900, but it seems something is missing:

Exonix · ‎2025-04-10

My friend Ivan gave me a link, which solved Cluster issue (but fully working cluster didn't resolve RAS VPN ussie...)

View solution in original post

the_rock · ‎2025-04-10

Can you provide what I asked in the other post?

Andy

cphaprob roles

cphaprob state

cphaprob -l list

cphaprob -i list

cphaprob syncstat

Exonix · ‎2025-04-10

the new node:

[Expert@fw01-3]#
cphaprob roles

ID         Role

1          Master
2 (local)  Non-Master
 cphaprob state

Cluster Mode:   High Availability (Active Up)

ID         Unique Address  Assigned Load   State          Name

1          10.231.149.1    100%            ACTIVE(!)      fw01-2
2 (local)  10.231.149.2    0%              DOWN           fw01-3

cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: problem

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 339.9 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 335.2 sec

Device Name: cphad
Registration number: 2
Timeout: 30 sec
Current state: OK
Time since last report: 4020.2 sec
Process Status: UP

Device Name: routed
Registration number: 3
Timeout: none
Current state: OK
Time since last report: 3971.7 sec

Device Name: Init
Registration number: 4
Timeout: none
Current state: OK
Time since last report: 4015.9 sec

Device Name: cxld
Registration number: 5
Timeout: 30 sec
Current state: OK
Time since last report: 4011.4 sec
Process Status: UP

Device Name: ConnMonitor
Registration number: 6
Timeout: none
Current state: problem
Time since last report: 332.4 sec

Device Name: Local Probing
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 315.3 sec

Active PNOTEs: ConnMonitor, COREXL

Last member state change event:
   Event Code:                 CLUS-114000
   State change:               INIT -> DOWN
   Reason for state change:    Member state has been changed due to restart of the Cluster module
   Event time:                 Thu Apr 10 18:24:50 2025

Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Tue Apr  8 21:21:52 2025 (reboot)

cphaprob -i list

Built-in Devices:

Device Name: CoreXL Configuration
Current state: problem

Registered Devices:

Device Name: ConnMonitor
Registration number: 6
Timeout: none
Current state: problem
Time since last report: 424.5 sec


cphaprob syncstat

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates.................................  0
Lost bulk update events......................  0
Oversized updates not sent...................  0

Sync at risk:
Sent reject notifications....................  0
Received reject notifications................  0

Sent messages:
Total generated sync messages................  351552
Sent retransmission requests.................  1
Sent retransmission updates..................  131
Peak fragments per update....................  1

Received messages:
Total received updates.......................  239847
Received retransmission requests.............  48

Sync Interface:
Name.........................................  LAN2
Link speed...................................  2500Mb/s
Rate.........................................  94440 [Bps]
Peak rate....................................  94440 [Bps]
Link usage...................................   0%
Total........................................  374467[KB]

Queue sizes (num of updates):
Sending queue size...........................  512
Receiving queue size.........................  256
Fragments queue size.........................  50

Timers:
Delta Sync interval (ms).....................  100

Reset on Thu Apr 10 18:25:12 2025 (triggered by fullsync).

the old node:

[Expert@fw01-2]# cphaprob roles

ID         Role

1 (local)  Master
2          Non-Master


cphaprob state

Cluster Mode:   High Availability (Active Up)

ID         Unique Address  Assigned Load   State          Name

1 (local)  10.231.149.1    100%            ACTIVE(!)      fw01-2
2          10.231.149.2    0%              DOWN           fw01-3


Active PNOTEs: COREXL

Last member state change event:
   Event Code:                 CLUS-113905
   State change:               ACTIVE -> ACTIVE(!)
   Reason for state change:    Mismatch in the number of CoreXL FW instances has been detected
   Event time:                 Thu Apr 10 19:07:45 2025

Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Tue Apr  8 21:21:52 2025 (reboot)


cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: problem (non-blocking)

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 591 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 591 sec

Device Name: cphad
Registration number: 2
Timeout: 30 sec
Current state: OK
Time since last report: 151691 sec
Process Status: UP

Device Name: cxld
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 151691 sec
Process Status: UP

Device Name: routed
Registration number: 4
Timeout: none
Current state: OK
Time since last report: 2025.5 sec

Device Name: Init
Registration number: 5
Timeout: none
Current state: OK
Time since last report: 151686 sec

Device Name: Local Probing
Registration number: 6
Timeout: none
Current state: OK
Time since last report: 2015.3 sec


cphaprob -i list

Built-in Devices:

Device Name: CoreXL Configuration
Current state: problem (non-blocking)


cphaprob syncstat


Delta Sync Statistics

Sync status: OK

Drops:
Lost updates.................................  0
Lost bulk update events......................  0
Oversized updates not sent...................  0

Sync at risk:
Sent reject notifications....................  0
Received reject notifications................  0

Sent messages:
Total generated sync messages................  626210
Sent retransmission requests.................  48
Sent retransmission updates..................  2
Peak fragments per update....................  2

Received messages:
Total received updates.......................  23075
Received retransmission requests.............  1

Sync Interface:
Name.........................................  LAN2
Link speed...................................  2500Mb/s
Rate.........................................  0     [Bps]
Peak rate....................................  0     [Bps]
Link usage...................................   0%
Total........................................  391464[KB]

Queue sizes (num of updates):
Sending queue size...........................  512
Receiving queue size.........................  256
Fragments queue size.........................  50

Timers:
Delta Sync interval (ms).....................  100

Reset on Thu Apr 10 18:25:05 2025 (triggered by fullsync).

the_rock · ‎2025-04-10

I can tell right away where the issue is, says corexl configuration. Can you make sure it matches from cpconfig menu, like below in my lab.

Andy

[Expert@CP-FW-01:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :9

Configuring Check Point CoreXL...
=================================

CoreXL is currently enabled with 6 IPv4 firewall instances.

(1) Change the number of firewall instances
(2) Disable Check Point CoreXL
(3) Change firewall mode

(4) Exit
Enter your choice (1-4) :

Exonix · ‎2025-04-10

🤷‍

cpconfig
-bash: cpconfig: command not found

the_rock · ‎2025-04-10

Try fw ctl multik stat?

Andy

Exonix · ‎2025-04-10

both FW have the same:

fw ctl multik stat
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 0      |          25 |       45
 1 | Yes     | 1      |          35 |       52
 2 | Yes     | 2      |          44 |       73
 3 | Yes     | 3      |          32 |       89
 4 | Yes     | 4      |          39 |       74
 5 | Yes     | 5      |          48 |       84
 6 | Yes     | 6      |          40 |       75
 7 | Yes     | 7      |          44 |       78
 8 | Yes     | 8      |          47 |       81
 9 | Yes     | 9      |          40 |       73
10 | Yes     | 10     |          52 |       93
11 | Yes     | 11     |          43 |       72
12 | Yes     | 12     |          34 |       74
13 | Yes     | 13     |          29 |       74
14 | Yes     | 14     |          40 |       93
15 | Yes     | 15     |          35 |       91
16 | Yes     | 16     |          31 |       64
17 | Yes     | 17     |          31 |       74

skandshus · ‎2025-04-10

did you do cpconfig in expert mode?

Exonix · ‎2025-04-10

yes i did in expert mode

the_rock · ‎2025-04-10

Exonix · ‎2025-04-10

After I restarted the new node and some erros are gone. The old node has now errors at all. The new node has now.

Question: how many cables must be used for Syncing? I have only one

cphaprob state

Cluster Mode:   High Availability (Active Up)

ID         Unique Address  Assigned Load   State          Name

1          10.231.149.1    100%            ACTIVE         fw01-2
2 (local)  10.231.149.2    0%              DOWN           fw01-3


Active PNOTEs: ConnMonitor

Last member state change event:
   Event Code:                 CLUS-112100
   State change:               INIT -> DOWN
   Reason for state change:    FULLSYNC PNOTE
   Event time:                 Thu Apr 10 20:31:10 2025

Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Tue Apr  8 21:21:52 2025 (reboot)

cphaprob -i list

Registered Devices:

Device Name: ConnMonitor
Registration number: 6
Timeout: none
Current state: problem
Time since last report: 786.3 sec

skandshus · ‎2025-04-10

did you add a SYNC interface? only 1 is needed for SYNC. 2 could be better but you only need one 🙂

Exonix · ‎2025-04-10

Yes, I added one sync interface, the cluster will not be created without it.

the_rock · ‎2025-04-10

Just normal straight through cable. In the old days, people would use cross-over cable, but not sure anyone even keeps any of those any more lol

Andy

Exonix · ‎2025-04-10

after I restarted the old node the new one became green (no errors), but the old node got same errors...:

cphaprob state

Cluster Mode:   High Availability (Active Up)

ID         Unique Address  Assigned Load   State          Name

1 (local)  10.231.149.1    0%              DOWN           fw01-2
2          10.231.149.2    100%            ACTIVE         fw01-3


Active PNOTEs: ConnMonitor

Last member state change event:
   Event Code:                 CLUS-112100
   State change:               INIT -> DOWN
   Reason for state change:    FULLSYNC PNOTE
   Event time:                 Thu Apr 10 21:05:48 2025

Last cluster failover event:
   Transition to new ACTIVE:   Member 1 -> Member 2
   Reason:                     Reboot
   Event time:                 Thu Apr 10 21:01:42 2025

Cluster failover count:
   Failover counter:           1
   Time of counter reset:      Tue Apr  8 21:21:52 2025 (reboot)

Exonix · ‎2025-04-10

My friend Ivan gave me a link, which solved Cluster issue (but fully working cluster didn't resolve RAS VPN ussie...)

the_rock · ‎2025-04-10

Good to know!

Are you a member of CheckMates?

Cluster of two SMB 1900