- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: SMB 1800 - Mismatch in the number of CoreXL FW...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMB 1800 - Mismatch in the number of CoreXL FW instances
Hi All,
We have a cluster of 1800 appliance (managed centrally via smart-1 cloud)
FW2> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285
FW3> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285
Problem:
Cluster don't want to go up 😞
Error :
FW3> cphaprob stat
Cluster Mode: High Availability (Active Up) with IGMP Membership
ID Unique Address Assigned Load State Name
1 10.254.254.246 100% ACTIVE(!) FW2
2 (local) 10.254.254.245 0% DOWN FW3
Active PNOTEs: COREXL
Last member state change event:
Event Code: CLUS-113905
State change: ACTIVE(!) -> DOWN
Reason for state change: Mismatch in the number of CoreXL FW instances has been detected
Event time: Thu Nov 4 19:37:25 2021
[Expert@FW2]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 282 | 392
1 | Yes | 1 | 338 | 490
2 | Yes | 2 | 127 | 301
3 | Yes | 3 | 317 | 387
4 | Yes | 4 | 306 | 535
5 | Yes | 5 | 385 | 536
6 | Yes | 6 | 278 | 723
7 | Yes | 7 | 143 | 230
8 | Yes | 8 | 293 | 531
9 | Yes | 9 | 124 | 275
[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 192 | 364
1 | Yes | 1 | 249 | 458
2 | Yes | 2 | 144 | 290
3 | Yes | 3 | 351 | 371
4 | Yes | 4 | 303 | 489
5 | Yes | 5 | 416 | 469
6 | Yes | 6 | 331 | 654
7 | Yes | 7 | 155 | 245
8 | Yes | 8 | 235 | 490
9 | Yes | 9 | 143 | 266
10 | Yes | 10 | 9 | 69
11 | Yes | 11 | 4 | 57
Any suggestion about this ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The appliances are configured with different amount of Firewall cores. On one the amount is 10, and on the other it is 12. ClusterXL requires the same amount of FWKs to be configured on each member.
Run cpconfig and change that under CoreXL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There isn't a cpconfig. It is a Gaia Embedded
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk174423: Configuring CoreXL Firewall instances on Quantum Spark Appliances
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, this is something I missed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 250 | 396
1 | Yes | 1 | 262 | 599
2 | Yes | 2 | 292 | 544
3 | Yes | 3 | 142 | 371
4 | Yes | 4 | 133 | 489
5 | Yes | 5 | 291 | 688
6 | Yes | 6 | 408 | 782
7 | Yes | 7 | 126 | 245
8 | Yes | 8 | 330 | 490
9 | Yes | 9 | 92 | 554
10 | Yes | 10 | 0 | 69
11 | Yes | 11 | 0 | 57
[Expert@FW3]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 10
stat :: No such file or directory
[Expert@FW3]# fw6 ctl multik stat
Unable to open '/dev/fw6v0': No such file or directory
Failed to get multiple kernel statistics: No such file or directory
Maybe be that these commands no longer function on this version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They do work on my 1530 - but fw6 multik stat only works if IPv6 is enabled. I also saw the stat :: No such file or directory error, but that was caused by a typo - /fw/...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your firmware version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.20.30 (992002349) |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy & Paste from sk:
[Expert@fifteenfifty]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 4
[Expert@fifteenfifty]#
Maybe because i did try FW_BOOT_DIR=/opt/fw1/boot before in the first tests - but leaving it out in the command above does not work.
Fun part: Click Tab after
# fwboot corexl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see the same problem with R80.20.35?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to ask TAC to resolve this !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution:
create the file manually -
# cat /opt/fw1/boot/boot.conf
KERN_INSTANCE_NUM 10
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did fear such a solution 😒 It has worked for ma because boot.conf did exist already:
KERN_INSTANCE_NUM 4
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
Seems KERN6 is only used if IPv6 is active - but as my 1550 has 4 cores only, IPv6 on will reduce IPv4 to 2 Cores. You have enabled IPv6 ? Otherwise i would change KERN_INSTANCE_NUM to 12...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was suggested by the TAC (in my scenario)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that, but if IPv6 is disabled, you would have two unused cores. Or does fw ctl multik stat show all 12 Cores as active?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in this sk174423 (Configuring CoreXL Firewall instances on Quantum Spark Appliance)
there is a table that explains this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, same core can serve as IPv4 and v6 at the same time. It is not just one or another. With 12 cores, you need at least 2 of them for SND/PPK, hence 10 CoreXL cores recommendation for a standard config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that is the answer -SND/PPK of course need 2 cores !