This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fabiofabio
Collaborator
‎2021-07-06 01:14 AM
Jump to solution

ClusterXL inactive or machine is down

hi,

I have created a small environment in which to test gaia, I am still in the beginning, I have not learned much, yet.
this environment consists of two physical machines (open servers) with two gaia 80.40 installations as gateway and one virtual machine as management
I am stuck with a gateway cluster problem, in device status I only see "ClusterXL inactive or machine is down", I have read about it but I have not found anything that can help me.
can you help me out of this situation? I leave some screens so that my situation can be clearer.
(since it is a test environment I cannot reach the internet. it is a closed environment. I cannot ping the two gateways while the management does. despite not being able to ping them, I can reach the web interface without problems)
thank you very much

 

 

Labels
Catfafaftura.PNG
Preview file
212 KB
Catafadfadftura.PNG
Preview file
37 KB
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-07-08 06:21 AM
In response to fabiofabio
Jump to solution

In the topology page on the GW, make sure your interfaces and topology for those are correctly defined. External interface is one where default GW is set. The rest are internal. Make sure the first policy you apply is ANY-ANY-ANY-ACCEPT. 

On your fw gws, to on ssh/console and run "fw unloadlocal". After you did, on MGMT check SIC is working. If it is, fetch interfaces with policy, then push policy as described above.

Best, look into Check Point for Beginners series, we discuss setting up GWs there in the Network security section. I have provided you the links already. 

 

View solution in original post

0 Kudos
24 Replies
_Val_
Admin
Admin
‎2021-07-06 02:41 AM
Jump to solution

Did you push policy on them yet?

0 Kudos
fabiofabio
Collaborator
‎2021-07-06 02:49 AM
In response to _Val_
Jump to solution

it fail every time, looking at the details it says nothing in particular

afdaadf.PNG
Preview file
118 KB
0 Kudos
_Val_
Admin
Admin
‎2021-07-06 02:55 AM
In response to fabiofabio
Jump to solution

What are the parameters of your GW VMs? RAM and HDD size? How many CPUs?

0 Kudos
fabiofabio
Collaborator
‎2021-07-07 05:47 AM
In response to _Val_
Jump to solution

i have both fisical GW with 1 CPU Intel Xeon E5-2665 2.40GHz, 32 gb ram, 900 gb HDD and 2 network card. 1 is connected to the switch and the other is connected to the other gw for the HA.

the management WM have 2 cpu with 2 core per socket (4 core), 8 gb ram, 80 gb HDD and 1 network adapter.

 

0 Kudos
_Val_
Admin
Admin
‎2021-07-06 06:11 AM
In response to fabiofabio
Jump to solution

@fabiofabio One of the most common issues when playing on VMware is not setting enough HW power on your VMs. Look here and make sure your virtual machines have at least required minimum, as mentioned in the article: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Part-2-Preparing-the-Lab/ba-p/8805...

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-07-06 06:30 AM
In response to fabiofabio
Jump to solution

From the policy installation failure screen, click the "V" symbol next to the first "Failed" to expand the actual failure error message, and post a screenshot of that.  It is also possible that clustering has not been enabled from cpconfig on one or both of the cluster members, and  as Val said the cluster state will report "problem" until policy is successfully installed.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
fabiofabio
Collaborator
‎2021-07-07 06:13 AM
In response to Timothy_Hall
Jump to solution

I have enabled both GWs for clustering while installing gaia but for safety I have now checked by cli and it is enabled.

thanks for the tip of the "V", I leave attached the screen, I have already tried to reinstall the SIC on both GWs, restarted the GWs and re-established the communication of the cluster members. what can i still do?

Cattasdasdasdura.PNG
Preview file
230 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-07-07 06:24 AM
In response to fabiofabio
Jump to solution

You need to provision a third interface on both your gateways, connect them, and set it to be the cluster sync network.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
fabiofabio
Collaborator
‎2021-07-07 06:37 AM
In response to Timothy_Hall
Jump to solution

I leave attached a screen with the network interfaces and configuration. was that what you meant?
I also leave the screen of a warning that appears to me every time I exit the cluster settings

Catturaafaddad.PNG
Preview file
242 KB
Cattugergerra.PNG
Preview file
35 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-07-07 07:16 AM
In response to fabiofabio
Jump to solution

Read my prior post again.  You need a third NIC interface provisioned in Gaia on both cluster members, then define that third interface as 1st Sync in the cluster topology.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
fabiofabio
Collaborator
‎2021-07-08 01:54 AM
In response to Timothy_Hall
Jump to solution

I did it but the same error remained, so I tried to disable the antispoofing and it allowed me to install the policies. at that point the cluster was ok but I can no longer reach the web interface of the gateways. if now I try to re-enable antispoofing it does not allow me to install the policies with the same error as before (asking to install a second cable for the cluster, although there are already one for the cluster and one for the sync)

Cattusdfsdfra.PNG
Preview file
89 KB
0 Kudos
_Val_
Admin
Admin
‎2021-07-08 02:14 AM
In response to fabiofabio
Jump to solution

Which points to the topology misconfiguration. Fix it, and all will work 

0 Kudos
fabiofabio
Collaborator
‎2021-07-08 05:56 AM
In response to _Val_
Jump to solution

i looked for the solution but i can't get out of it for now. looking for the error i came across sk138132 but it didn't solve the problem and i didn't find anything else about it. any suggestions? 🙂

0 Kudos
_Val_
Admin
Admin
‎2021-07-08 06:21 AM
In response to fabiofabio
Jump to solution

In the topology page on the GW, make sure your interfaces and topology for those are correctly defined. External interface is one where default GW is set. The rest are internal. Make sure the first policy you apply is ANY-ANY-ANY-ACCEPT. 

On your fw gws, to on ssh/console and run "fw unloadlocal". After you did, on MGMT check SIC is working. If it is, fetch interfaces with policy, then push policy as described above.

Best, look into Check Point for Beginners series, we discuss setting up GWs there in the Network security section. I have provided you the links already. 

 

0 Kudos
fabiofabio
Collaborator
‎2021-07-09 03:29 AM
In response to _Val_
Jump to solution

thank you very much, I finally succeeded. the problem was the main gw interface set to private. setting it in cluster, setting the virtual ip and putting it in external I succeeded. it's not something to do in a production environment but oh well, it's just a laboratory. but now I have no idea what I did, the cluster communicates with the management but the gw are no longer reachable from the web interface or even via ssh. I must also say that the gw have never been able to ping them. any idea?

0 Kudos
fabiofabio
Collaborator
‎2021-07-09 03:44 AM
In response to fabiofabio
Jump to solution

@_Val_  sorry, my fault. now everything works. thanks again for the support!

0 Kudos
_Val_
Admin
Admin
‎2021-07-09 05:37 AM
In response to fabiofabio
Jump to solution

No need to be sorry, we are here to help everybody out, @fabiofabio 

0 Kudos
Cyber_Serge
Collaborator
‎2021-07-06 05:24 AM
Jump to solution

If you use cli to bring up cluster member, what does it say?

Are the cable connected properly for the sync interface?

0 Kudos
_Val_
Admin
Admin
‎2021-07-06 06:04 AM
In response to Cyber_Serge
Jump to solution

He will not be able to bring cluster up before policy is installed. He cannot install policy, let him figure out this part first :-), before anything else.

 

fabiofabio
Collaborator
‎2021-07-07 06:25 AM
In response to Cyber_Serge
Jump to solution

the GWs are already part of the cluster members.

thanks for the sync cable tip, it wasn't. now I have configured the IP on the network cards of both WGs from the web interface and then I have configured the interfaces from the cluster. I leave a screen attached because I'm not sure I have configured it well.

now every time I exit the cluster settings I get this screen that I leave attached and I do not understand what it is.

Catturaafaddad.PNG
Preview file
242 KB
Cattugergerra.PNG
Preview file
35 KB
0 Kudos
the_rock
Legend
Legend
‎2021-07-08 06:20 AM
In response to fabiofabio
Jump to solution

Can you run below commands on both members from ssh and send us the output?

cphaprob state

cphaprob -a if

cphaprob list

cphaprob syncstat

0 Kudos
_Val_
Admin
Admin
‎2021-07-08 06:21 AM
In response to the_rock
Jump to solution

no need, @the_rock he is struggling to push policy. 

the_rock
Legend
Legend
‎2021-07-08 06:23 AM
In response to _Val_
Jump to solution

Yes, correct, sorry.

0 Kudos
the_rock
Legend
Legend
‎2021-07-08 06:24 AM
In response to fabiofabio
Jump to solution

Maybe sharing a screenshot of your topology would help (you can blur out public IP addresses, thats fine).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top