- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi all
We are stuck into a strange issue when upgrading a cluster from 80.10 to 80.30
Short description:
We have two 80.10 GW appliances, facing two internet connections with BGP, advertising one /24 with equal metric via both providers.
Both BGP sessions are Established on the primary cluster member (confirmed in HA and LS mode).
After upgrading to 80.30 one of the BGP comes up without issues, the other stays in Active state.
routed.log says: interface eth1 has NO IPv4 CLUSTER address
Error is logged even though cluster addresses are properly configured and the BGP won't move to Established state.
Shutting down the working BGP (disable interface) and waiting for the other to come up did not help/
We tested this on 4600 appliances then did the config from scratch on a brand new 6400 - same issue.
I would appreciate any suggestions 🙂
Yep, and the result of cphaprob -a if is looking good.
TAC case is probably in order then:
We scheduled a meeting with TAC for tonight as this is impacting prod firewalls and downtime is a bit tricky.
I was hoping that someone ran into the same issue and could help reduce the time to resolve it.
Will share results after debug digging
Anyways - thank you for the reply 🙂
BGP is not supported on non-clustered interfaces in a clustered environment. Thanks for checking routed.log. If this is a clustered environment and eth1 is not configured with cluster VIP then please configure it. If eth1 is configured with clustered VIP then please check the output of:
cphaprob -a if ---> this should show whether VIP is configured and installed.
show routed cluster-state detailed -------> this should show whether routing daemon has the VIP.
Hi, I was involved also in debugging this issue and we ran the both commands.
cphaprob -a if - shows that eth1 exists and VIP is configured and installed, also VIP was accessible from outside world.
show routed cluster-state detailed - eth1 is missing from here. Only 3 from 4 VIP interfaces were shown here.
We had a remote session with TAC and issue was resolved, but it was not very clear what was the problem a how it was resolved.
The last thing that we do before resolving, was aligning host name of the machine and object name in policy.
After rebooting the device, BGP sessions to both providers were established and working.
I am still curious what could be the reason for VIP address missing in routed configuration and how to fix it
Thanks
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY