Re: SMB 1800 - Mismatch in the number of CoreXL FW...

L_Rossi_89 · ‎2021-11-05

Hi All,

We have a cluster of 1800 appliance (managed centrally via smart-1 cloud)

FW2> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285

FW3> show software-version
This is Check Point's 1800 Appliance R80.20.30 - Build 285

Problem:

Cluster don't want to go up 😞

Error :

FW3> cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 10.254.254.246 100% ACTIVE(!) FW2
2 (local) 10.254.254.245 0% DOWN FW3

Active PNOTEs: COREXL

Last member state change event:
Event Code: CLUS-113905
State change: ACTIVE(!) -> DOWN
Reason for state change: Mismatch in the number of CoreXL FW instances has been detected
Event time: Thu Nov 4 19:37:25 2021

[Expert@FW2]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 282 | 392
1 | Yes | 1 | 338 | 490
2 | Yes | 2 | 127 | 301
3 | Yes | 3 | 317 | 387
4 | Yes | 4 | 306 | 535
5 | Yes | 5 | 385 | 536
6 | Yes | 6 | 278 | 723
7 | Yes | 7 | 143 | 230
8 | Yes | 8 | 293 | 531
9 | Yes | 9 | 124 | 275

[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 192 | 364
1 | Yes | 1 | 249 | 458
2 | Yes | 2 | 144 | 290
3 | Yes | 3 | 351 | 371
4 | Yes | 4 | 303 | 489
5 | Yes | 5 | 416 | 469
6 | Yes | 6 | 331 | 654
7 | Yes | 7 | 155 | 245
8 | Yes | 8 | 235 | 490
9 | Yes | 9 | 143 | 266
10 | Yes | 10 | 9 | 69
11 | Yes | 11 | 4 | 57

Any suggestion about this ?

_Val_ · ‎2021-11-05

The appliances are configured with different amount of Firewall cores. On one the amount is 10, and on the other it is 12. ClusterXL requires the same amount of FWKs to be configured on each member.

Run cpconfig and change that under CoreXL

L_Rossi_89 · ‎2021-11-05

There isn't a cpconfig. It is a Gaia Embedded

G_W_Albrecht · ‎2021-11-05

sk174423: Configuring CoreXL Firewall instances on Quantum Spark Appliances

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

_Val_ · ‎2021-11-05

Great, this is something I missed.

L_Rossi_89 · ‎2021-11-05

[Expert@FW3]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 250 | 396
1 | Yes | 1 | 262 | 599
2 | Yes | 2 | 292 | 544
3 | Yes | 3 | 142 | 371
4 | Yes | 4 | 133 | 489
5 | Yes | 5 | 291 | 688
6 | Yes | 6 | 408 | 782
7 | Yes | 7 | 126 | 245
8 | Yes | 8 | 330 | 490
9 | Yes | 9 | 92 | 554
10 | Yes | 10 | 0 | 69
11 | Yes | 11 | 0 | 57

[Expert@FW3]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 10
stat :: No such file or directory

[Expert@FW3]# fw6 ctl multik stat
Unable to open '/dev/fw6v0': No such file or directory
Failed to get multiple kernel statistics: No such file or directory

Maybe be that these commands no longer function on this version?

G_W_Albrecht · ‎2021-11-05

They do work on my 1530 - but fw6 multik stat only works if IPv6 is enabled. I also saw the stat :: No such file or directory error, but that was caused by a typo - /fw/...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

L_Rossi_89 · ‎2021-11-05

your firmware version?

G_W_Albrecht · ‎2021-11-05

R80.20.30 (992002349)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2021-11-05

Copy & Paste from sk:

[Expert@fifteenfifty]# FW_BOOT_DIR=/opt/fw1/boot fwboot corexl enable 4

[Expert@fifteenfifty]#

Maybe because i did try FW_BOOT_DIR=/opt/fw1/boot before in the first tests - but leaving it out in the command above does not work.

Fun part: Click Tab after

# fwboot corexl

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chris_Atkinson · ‎2021-11-05

Do you see the same problem with R80.20.35?

CCSM R77/R80/ELITE

G_W_Albrecht · ‎2021-11-08

I would suggest to ask TAC to resolve this !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

L_Rossi_89 · ‎2021-11-10

Solution:

create the file manually -

# cat /opt/fw1/boot/boot.conf
KERN_INSTANCE_NUM 10
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2

G_W_Albrecht · ‎2021-11-10

I did fear such a solution 😒 It has worked for ma because boot.conf did exist already:

KERN_INSTANCE_NUM 4
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2

Seems KERN6 is only used if IPv6 is active - but as my 1550 has 4 cores only, IPv6 on will reduce IPv4 to 2 Cores. You have enabled IPv6 ? Otherwise i would change KERN_INSTANCE_NUM to 12...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

L_Rossi_89 · ‎2021-11-10

I was suggested by the TAC (in my scenario)

G_W_Albrecht · ‎2021-11-10

I understand that, but if IPv6 is disabled, you would have two unused cores. Or does fw ctl multik stat show all 12 Cores as active?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

L_Rossi_89 · ‎2021-11-10

in this sk174423 (Configuring CoreXL Firewall instances on Quantum Spark Appliance)

there is a table that explains this

_Val_ · ‎2021-11-10

No, same core can serve as IPv4 and v6 at the same time. It is not just one or another. With 12 cores, you need at least 2 of them for SND/PPK, hence 10 CoreXL cores recommendation for a standard config.

G_W_Albrecht · ‎2021-11-10

Yes, that is the answer -SND/PPK of course need 2 cores !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

SMB 1800 - Mismatch in the number of CoreXL FW instances