This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2024-01-08 10:57 AM

ClusterXL Alert (!)

Hello,

I have a ClusterXL R81.10 with an alert.

The problem is that according to the "cphaprob -a if" command, the interface Eth1.19 ... is up, however, I still see the Cluster "alerted" when I query with the "cphaprob state", I see the member 2 with the symbol !

The fact of having the Cluster alerted, gives me the impression, that it is causing that from the SmartConsole, I see the alert related to a problem by the "AntiBot", but checking the AntiBot, I observe that everything is fine.

The GW has Internet connectivity and DNS resolution.

Is there a way to correct this?

Preview file
2 KB
0 Kudos
11 Replies
genisis__
Leader Leader
Leader
‎2024-01-08 11:01 AM

Can you check your trunking to ensure L2 vlans are seen by both sides.  Also provide the output from SG1.

0 Kudos
the_rock
Legend
Legend
‎2024-01-08 11:02 AM

Hey bro,

Have you tried cphastop; cphastart on the cluster member with the issue?

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-08 11:03 AM

Did you address the two problems mentioned here?
Neither of these issues are with Anti-Bot.

Last member state change event:
   Event Code:                 CLUS-110305
   State change:               ACTIVE -> ACTIVE(!)
   Reason for state change:    Interface eth1.19 is down (Cluster Control Protocol packets are not received)
   Event time:                 Mon Dec 18 16:34:17 2023

Last cluster failover event:
   Transition to new ACTIVE:   Member 1 -> Member 2
   Reason:                     Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
   Event time:                 Thu Dec 14 11:29:25 2023

 

Matlu
Advisor
‎2024-01-08 11:47 AM
In response to PhoneBoy

Hello,

I provide the output of SG1 and SG2.

I suspect that by having this "alert" in the Cluster (!), it may be causing the alert related to my AntiBot.

I have done basic tests, such as making sure that there is internet connectivity from the 2 GWs and that both resolve DNS, and everything is fine.

The problem is that from the SmartConsole, I have the alert both at ClusterXL and AntiBot level.

I think, that both problems are related.

I have applied the validation command "cpstat antimalware -f update_status" on the member that is "ACTIVE(!)" and I get the following result.

Attached is the result of several commands applied on both GWs.

Thanks for your comments.



Preview file
8 KB
0 Kudos
the_rock
Legend
Legend
‎2024-01-08 11:52 AM
In response to Matlu

Can you send cphaprob -a if of cpfw02?

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-08 11:55 AM
In response to Matlu

Nm, got it. Okay, so on fw01, shows required interfaces 5 and other one shows 6, so something is not matching. Can you confirm topology is correct as far as cluster config for those interfaces?

Andy

0 Kudos
Matlu
Advisor
‎2024-01-08 12:31 PM
In response to the_rock

I'm observing the difference.

Indeed, I see that my SG2, has 6 "Required Interfaces" and the SG1, only 5.

---------------------------------------------------------------------

[Expert@SG2:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 6
Required secured interfaces: 1

[Expert@SG1:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 5
Required secured interfaces: 1

---------------------------------------------------------------------

These values must be identical in both members, right?

How can I fix this error?
Because according to my client, there should be 6 "Required Interfaces", not 5.

0 Kudos
the_rock
Legend
Legend
‎2024-01-08 12:35 PM
In response to Matlu

If they dont match, cluster will never work properly. So, have them check smart console topology and observe those 6 interfaces to confirm topology is indeed set as cluster for them.

I attached example from my lab

Andy

 

 

 

Screenshot_1.png

 

Screenshot_2.png

0 Kudos
Matlu
Advisor
‎2024-01-08 12:54 PM
In response to the_rock

It validates it.

Indeed, there should only be 5 Required Interfaces (I made a mistake in the # I said in the previous post).

The interfaces are in the SmartConsole topology, under "type -> Cluster" except for the Sync interface, which is under "type -> Sync".

It occurs to me then, that from the SmartConsole I should give a "Get Interfaces Without Topology", to "refresh" maybe the console, and mitigate the ClusterXL alert?

0 Kudos
the_rock
Legend
Legend
‎2024-01-08 12:55 PM
In response to Matlu

As long as you are positive its correct, yes, do that and install the policy.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-08 11:09 AM

Those things Phoneboy mentioned are 100% relevant, for sure, but just wondering, as they show mid December date, was it fixed since then?

Please verify by running below

cphaprob -a if

cphaorrob -l list

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events