Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
L_Rossi_89
Contributor

SMB 1800 - Mismatch in the number of CoreXL FW instances

Hi All,

We have a cluster of 1800 appliance (managed centrally via smart-1 cloud)

 

FW2> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285

FW3> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285

Problem:

Cluster don't want to go up 😞

 

Error :

FW3> cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 10.254.254.246 100% ACTIVE(!) FW2
2 (local) 10.254.254.245 0% DOWN FW3


Active PNOTEs: COREXL

Last member state change event:
Event Code: CLUS-113905
State change: ACTIVE(!) -> DOWN
Reason for state change: Mismatch in the number of CoreXL FW instances has been detected
Event time: Thu Nov 4 19:37:25 2021

 

 

[Expert@FW2]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 282 | 392
1 | Yes | 1 | 338 | 490
2 | Yes | 2 | 127 | 301
3 | Yes | 3 | 317 | 387
4 | Yes | 4 | 306 | 535
5 | Yes | 5 | 385 | 536
6 | Yes | 6 | 278 | 723
7 | Yes | 7 | 143 | 230
8 | Yes | 8 | 293 | 531
9 | Yes | 9 | 124 | 275

 

[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 192 | 364
1 | Yes | 1 | 249 | 458
2 | Yes | 2 | 144 | 290
3 | Yes | 3 | 351 | 371
4 | Yes | 4 | 303 | 489
5 | Yes | 5 | 416 | 469
6 | Yes | 6 | 331 | 654
7 | Yes | 7 | 155 | 245
8 | Yes | 8 | 235 | 490
9 | Yes | 9 | 143 | 266
10 | Yes | 10 | 9 | 69
11 | Yes | 11 | 4 | 57

Any suggestion about this ?

0 Kudos
18 Replies
_Val_
Admin
Admin

The appliances are configured with different amount of Firewall cores. On one the amount is 10, and on the other it is 12. ClusterXL requires the same amount of FWKs to be configured on each member.

Run cpconfig and change that under CoreXL

0 Kudos
L_Rossi_89
Contributor

There isn't a cpconfig. It is a Gaia Embedded

0 Kudos
G_W_Albrecht
Legend Legend
Legend

sk174423: Configuring CoreXL Firewall instances on Quantum Spark Appliances

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin

Great, this is something I missed.

0 Kudos
L_Rossi_89
Contributor

[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 250 | 396
1 | Yes | 1 | 262 | 599
2 | Yes | 2 | 292 | 544
3 | Yes | 3 | 142 | 371
4 | Yes | 4 | 133 | 489
5 | Yes | 5 | 291 | 688
6 | Yes | 6 | 408 | 782
7 | Yes | 7 | 126 | 245
8 | Yes | 8 | 330 | 490
9 | Yes | 9 | 92 | 554
10 | Yes | 10 | 0 | 69
11 | Yes | 11 | 0 | 57

[Expert@FW3]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 10
stat :: No such file or directory

[Expert@FW3]# fw6 ctl multik stat
Unable to open '/dev/fw6v0': No such file or directory
Failed to get multiple kernel statistics: No such file or directory

Maybe be that these commands no longer function on this version?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

They do work on my 1530 - but fw6 multik stat only works if IPv6 is enabled. I also saw the stat :: No such file or directory error, but that was caused by a typo - /fw/...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
L_Rossi_89
Contributor

your firmware version?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

  R80.20.30 (992002349)
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Copy & Paste from sk:

[Expert@fifteenfifty]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 4

[Expert@fifteenfifty]# 

Maybe because i did try FW_BOOT_DIR=/opt/fw1/boot before in the first tests  - but leaving it out in the command above does not work.

Fun part: Click Tab after

# fwboot corexl

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Do you see the same problem with R80.20.35?

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend

I would suggest to ask TAC to resolve this !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
L_Rossi_89
Contributor

Solution:

 create the file manually - 

# cat /opt/fw1/boot/boot.conf
KERN_INSTANCE_NUM 10
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I did fear such a solution 😒 It has worked for ma because boot.conf did exist already:

KERN_INSTANCE_NUM 4
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2

Seems KERN6 is only used if IPv6 is active - but as my 1550 has 4 cores only,  IPv6 on will reduce IPv4 to 2 Cores. You have enabled IPv6 ? Otherwise i would change KERN_INSTANCE_NUM to 12...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
L_Rossi_89
Contributor

I was suggested by the TAC (in my scenario)

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I understand that, but if IPv6 is disabled, you would have two unused cores. Or does fw ctl multik stat show all 12 Cores as active?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
L_Rossi_89
Contributor

in this sk174423 (Configuring CoreXL Firewall instances on Quantum Spark Appliance)

there is a table that explains this

0 Kudos
_Val_
Admin
Admin

No, same core can serve as IPv4 and v6 at the same time. It is not just one or another. With 12 cores, you need at least 2 of them for SND/PPK, hence 10 CoreXL cores recommendation for a standard config.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes, that is the answer -SND/PPK of course need 2 cores !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events