Re: ClusterXl issue on 3920 82.10

VIKAS1

Hello,

We have recent setup our 3920 gateways with R82.10. I am facing issue with 2nd Gateway not coming up , it's show down.

when i check with error massage it's show Bond1 interface is down, but physical when i login Gaia it's show up.

We are using Aruba 6300M switches to connect Firewall where Aruba Switches are running on VSF configuration with Lag.

i have attached snap for the bond1 configuration, cphaprob stat output, also Aruba Switch configuration snap.

Chris_Atkinson

Which JHF take is this machine deployed with and what is the output of "cphaprob -a if" ?

CCSM R77/R80/ELITE

VIKAS1

Hello

FW01> cpinfo -y all

This is Check Point CPinfo Build 914000219 for GAIA
[CPshared]
No hotfixes..
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[MGMT]
No hotfixes..
[FW1]
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R82.10 - Build 407
kernel: R82.10 - Build 422
[SecurePlatform]
No hotfixes..
[CPinfo]
No hotfixes..
[PPACK]
No hotfixes..
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
No hotfixes..
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[CPUpdates]
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 131
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 210
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 38
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 75
BUNDLE_QUID_AUTOUPDATE Take: 53
BUNDLE_HCP_AUTOUPDATE Take: 88
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 10
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 158
BUNDLE_CPSDC_AUTOUPDATE Take: 40
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPviewExporter]
HOTFIX_OTLP_GA
[CPotelcol]
HOTFIX_OTLP_GA
[CPotlpAgent]
HOTFIX_OTLP_GA

FW01> cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 3
Required secured interfaces: 1

Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) UP
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 50.200.58.244
bond1 192.20.15.5

FW01>

FW02 output-----

FW02> cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 1

Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) DOWN (61634.2 secs)
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 50.200.58.244
bond1 192.20.15.5

FW02>

Chris_Atkinson

Is the cabling correct to the switch, have you investigated the lacp-block ?

CCSM R77/R80/ELITE

VIKAS1

cabling has been done as below

FW01- port 3 to core01 23

FW01 - port 4 to core02 23

FW02 - port 3 to core01 24

FW02 - port 4 to core02 24

emmap

It seems like all 4 ports are in the same LAG on the switch site? Should be separate LAGs per gateway.

VIKAS1

Might be, I have asked my vendor to check from Aruba switched end.

is there anything to check from checkpoint side

the_rock

In your screenshots, shows Mgmt interface is down, not bond.

Best,
Andy

VIKAS1

Yes, but in another Firewall 02 it's show bond interface.

the_rock

I dont see bond anywhere. hey, do you allow remote? Im just doing some lab work now, but dont start till later, so happy to try help you.

Best,
Andy

the_rock

Hey guys,

Just to update, Vikas and I had zoom remote and below are my notes from it. @VIKAS1 , I would certainly check Aruba switch end, as config is 100% correct on CP side.

*************************************

-new 3920 cluster on R82.10
-managed by smart-1 cloud
-in sv monitor, shows bond interface is down

checked cphaprob -a if

this did work fine before, just started today

Aruba switch appears fine

ran cphastop and cphastart on affected member fw02

we also bounced the interface, verified topology, same issue, still shows down from cphaprob state

rebooted fw02 member
verified -> same state, shows as down and bond is down as well

to me, this definitely appears to be Aruba switch related, as config is the same on both members, including bond interface

Best,
Andy

the_rock

Hey Vikas,

I did some more lab tests on this and when I had topology set the way you did, I had exact same problem. I then changed it to setting per routing (cant recall the exact name now, but its 2nd last option I believe) and then all worked when I installed policy.

Best,
Andy

the_rock

@VIKAS1 This is the setting I meant. BUT, please be careful, better try this in short maintenance window.

Best,
Andy

Are you a member of CheckMates?

ClusterXl issue on 3920 82.10