This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2023-08-21 09:34 AM

ClusterXL failover question

Hey guys,

Im hoping someone can confirm this for me 100%. Customer is using clusterXL active-standby method and last few times, we had instance where if we add new vlan either on active or standby member, it would always cause a failover.

Now, that sort of makes sense possibly in their case, as kernel parameter fwha_monitor_all_vlan is set to 1 and they already have 3 vlans configured. At least thats my logic and TAC seems to agree with it, so we will disable it next window and test.

But, here is something I find odd. My colleague set up PBR on current active and that caused a failover as well. Is that normal?? I cant see how that could happen, unless its obviously tied to BGP, which is configured, since it was complaining that routed pnote was the issue.

I see below sk, but its more what to check when failover happens:

https://support.checkpoint.com/results/sk/sk62570

My question is this...is there an official sk or document STATING what changes would indeed cause failover?

Thanks as always.

Andy

Best,
Andy
0 Kudos
4 Replies
JozkoMrkvicka
Authority
Authority
‎2023-08-21 11:48 AM

Was that newly added VLAN the lowest or highest VLAN-ID on specific interface? By default, CP is monitoring only lowest and highest VLANs. If VLAN is not correctly tagged/created/stretched on the switches, it might cause failover. The monitoring of highest/lowest VLANs is done over CCP (udp/8116).

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-08-21 11:52 AM
In response to JozkoMrkvicka

Hey @JozkoMrkvicka 

Thanks for the response. I believe it was neither, somewhere in the middle...lowest was 20, highest 500 I think and this one was 208. But, regardless, I think thats due to kernel parameter I mentioned, but now, question is, if anyone can confirm 100% or if there is an official sk or statement what activities would actually cause failover? Because to me, makes no sense that during one window, when we added new vlan on STANDBY member, even that causes failover??!! I mean, how?

And then, when we showed that to TAC person, I think guy was even more confused than we were LOL

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-08-23 08:16 AM

All routing configuration changes are handled by routed. I could definitely see changes to PBR config causing failovers. I suspect a better question would be what interface and/or routing changes would not cause failovers.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-08-23 08:26 AM
In response to Bob_Zimmerman

Ok, thats fair, though when my colleague and I did PBR changes the 2nd time, failover did NOT happen.

So, here is my question then...what changes would NOT cause a failover? : - )

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events