This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VIKAS1
Collaborator
Monday
Jump to solution

ClusterXl issue on 3920 82.10

Hello,

We have recent setup our 3920 gateways with R82.10. I am facing issue with 2nd Gateway not coming up , it's show down.

when i check with error massage it's show Bond1 interface is down, but physical when i login Gaia it's show up.

We are using Aruba 6300M switches to connect Firewall where Aruba Switches are running on VSF configuration with Lag.

i have attached snap for the bond1 configuration, cphaprob stat output, also Aruba Switch configuration snap.

 

Preview file
94 KB
Preview file
32 KB
Preview file
56 KB
Preview file
49 KB
0 Kudos
1 Solution

Accepted Solutions
VIKAS1
Collaborator
2 hours ago
In response to the_rock
Jump to solution

thanks Andy for support...the issue has been resolved.

I have created one more lag on Aruba switch and tag with the ports.

i was  trying to carry two different firewalls within the same lag. Logically, as recommend connecting the ends of each firewall connected to the 6300m side to different lag groups

 

!
! LAG100 for CP1
interface lag 100
 description CP1_inside
 no shutdown
 no routing
 vlan trunk native 15
 vlan trunk allowed all
 lacp mode active
 lacp rate fast
exit

interface 1/1/23
 no shutdown
 no routing
 lag 100
exit

interface 2/1/23
 no shutdown
 no routing
 lag 100
exit

! LAG101 for CP2
interface lag 101
 description CP2_inside
 no shutdown
 no routing
 vlan trunk native 15
 vlan trunk allowed all
 lacp mode active
 lacp rate fast
exit

interface 1/1/24
 no shutdown
 no routing
 lag 101
exit

interface 2/1/24
 no shutdown
 no routing
 lag 101
exit

View solution in original post

Preview file
71 KB
Preview file
137 KB
27 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday
Jump to solution

Which JHF take is this machine deployed with and what is the output of "cphaprob -a if" ?

 

CCSM R77/R80/ELITE
0 Kudos
VIKAS1
Collaborator
Monday
In response to Chris_Atkinson
Jump to solution

Hello

FW01> cpinfo -y all

This is Check Point CPinfo Build 914000219 for GAIA
[CPshared]
No hotfixes..
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[MGMT]
No hotfixes..
[FW1]
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R82.10 - Build 407
kernel: R82.10 - Build 422
[SecurePlatform]
No hotfixes..
[CPinfo]
No hotfixes..
[PPACK]
No hotfixes..
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
No hotfixes..
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[CPUpdates]
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 131
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 210
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 38
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 75
BUNDLE_QUID_AUTOUPDATE Take: 53
BUNDLE_HCP_AUTOUPDATE Take: 88
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 10
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 158
BUNDLE_CPSDC_AUTOUPDATE Take: 40
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPviewExporter]
HOTFIX_OTLP_GA
[CPotelcol]
HOTFIX_OTLP_GA
[CPotlpAgent]
HOTFIX_OTLP_GA

FW01> cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 3
Required secured interfaces: 1


Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) UP
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 50.200.58.244
bond1 192.20.15.5

FW01>

FW02 output-----


FW02> cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 1


Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) DOWN (61634.2 secs)
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 50.200.58.244
bond1 192.20.15.5

FW02>

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday
In response to VIKAS1
Jump to solution

Is the cabling correct to the switch, have you investigated the lacp-block ?

CCSM R77/R80/ELITE
0 Kudos
VIKAS1
Collaborator
Tuesday
In response to Chris_Atkinson
Jump to solution

cabling has been done as below

FW01- port 3 to core01 23

FW01 - port 4 to core02 23

FW02 - port 3 to core01 24

FW02 - port 4 to core02 24

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday
In response to VIKAS1
Jump to solution

It seems like all 4 ports are in the same LAG on the switch site? Should be separate LAGs per gateway.

0 Kudos
VIKAS1
Collaborator
Tuesday
In response to emmap
Jump to solution

Might be, I have asked my vendor to check from Aruba switched end. 

is there anything to check from checkpoint side

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to VIKAS1
Jump to solution

In your screenshots, shows Mgmt interface is down, not bond.

Best,
Andy
0 Kudos
VIKAS1
Collaborator
Tuesday
In response to the_rock
Jump to solution

Yes, but in another Firewall 02 it's show bond interface.

 

 

Preview file
56 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to VIKAS1
Jump to solution

I dont see bond anywhere. hey, do you allow remote? Im just doing some lab work now, but dont start till later, so happy to try help you.

Screenshot_1.png

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
Jump to solution

Hey guys,

Just to update, Vikas and I had zoom remote and below are my notes from it. @VIKAS1 , I would certainly check Aruba switch end, as config is 100% correct on CP side.

*************************************

-new 3920 cluster on R82.10
-managed by smart-1 cloud
-in sv monitor, shows bond interface is down

checked cphaprob -a if

this did work fine before, just started today

Aruba switch appears fine

ran cphastop and cphastart on affected member fw02

we also bounced the interface, verified topology, same issue, still shows down from cphaprob state

rebooted fw02 member
verified -> same state, shows as down and bond is down as well

to me, this definitely appears to be Aruba switch related, as config is the same on both members, including bond interface

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
Jump to solution

Hey Vikas,

I did some more lab tests on this and when I had topology set the way you did, I had exact same problem. I then changed it to setting per routing (cant recall the exact name now, but its 2nd last option I believe) and then all worked when I installed policy.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to the_rock
Jump to solution

@VIKAS1 This is the setting I meant. BUT, please be careful, better try this in short maintenance window.

Screenshot_1.png

Best,
Andy
0 Kudos
VIKAS1
Collaborator
Tuesday
In response to the_rock
Jump to solution

Sure, will try and update. thnks for quick zoom call.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to VIKAS1
Jump to solution

Please let us know, thanks mate!

Best,
Andy
0 Kudos
VIKAS1
Collaborator
yesterday
In response to the_rock
Jump to solution

I hv tried on down window but there was no changes , same output.

FW02:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 1


Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) DOWN (87301.8 secs)
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

 

FW01:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 3
Required secured interfaces: 1


Interface Name: Status:

Mgmt Non-Monitored
eth1 UP
eth8 (S) UP
bond1 (LS-P) UP
maas_tunnel Non-Monitored

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

FW02:0]# cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 20.20.20.11 100% ACTIVE FW01
2 (local) 20.20.20.12 0% DOWN FW02


Active PNOTEs: LPRB, IAC

Last member state change event:
Event Code: CLUS-117500
State change: INIT -> DOWN
Reason for state change: PNOTE DSD
Event time: Tue Nov 18 18:47:59 2025

Last cluster failover event:
Transition to new ACTIVE: Member 2 -> Member 1
Reason: Interface Mgmt is down (disconnected / link down)
Event time: Thu Nov 13 22:30:35 2025

Cluster failover count:
Failover counter: 3485
Time of counter reset: Sat Nov 8 16:57:23 2025 (reboot)

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Can you send a screenshot of how topology is set for that interface now?

Best,
Andy
0 Kudos
VIKAS1
Collaborator
yesterday
In response to the_rock
Jump to solution

 

Hello, attached

 

Preview file
86 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Hey brother,

I was thinking change it to defined per routes option, thats what I mentioned.

Best,
Andy
0 Kudos
VIKAS1
Collaborator
yesterday
In response to the_rock
Jump to solution

i have changed but there was no any changes on clusterxl..find the snap topology changes made as you said

Preview file
118 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Thats exactly how I have it in the lab and works fine. Anything on the switch side?

Best,
Andy
0 Kudos
VIKAS1
Collaborator
yesterday
In response to the_rock
Jump to solution

no changes on switch end. as i have mentioned yearly same lag configured.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Just as a test. are you able to bounce that port on the switch? I have 1 hour available, lets do zoom if you are free? I really want to fix this for you. Let me know.

Best,
Andy
0 Kudos
VIKAS1
Collaborator
yesterday
In response to the_rock
Jump to solution

Hi Just for update, I have tried that also and interchanging the port on switch end but getting same error.

the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Are you free for zoom remote?

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to VIKAS1
Jump to solution

Hey Vikas,

Does 6.30 pm your time Friday work for zoom remote? If so, just confirm and I can send you the link directly when its time, that would be 8 am for me.

Best,
Andy
VIKAS1
Collaborator
2 hours ago
In response to the_rock
Jump to solution

thanks Andy for support...the issue has been resolved.

I have created one more lag on Aruba switch and tag with the ports.

i was  trying to carry two different firewalls within the same lag. Logically, as recommend connecting the ends of each firewall connected to the 6300m side to different lag groups

 

!
! LAG100 for CP1
interface lag 100
 description CP1_inside
 no shutdown
 no routing
 vlan trunk native 15
 vlan trunk allowed all
 lacp mode active
 lacp rate fast
exit

interface 1/1/23
 no shutdown
 no routing
 lag 100
exit

interface 2/1/23
 no shutdown
 no routing
 lag 100
exit

! LAG101 for CP2
interface lag 101
 description CP2_inside
 no shutdown
 no routing
 vlan trunk native 15
 vlan trunk allowed all
 lacp mode active
 lacp rate fast
exit

interface 1/1/24
 no shutdown
 no routing
 lag 101
exit

interface 2/1/24
 no shutdown
 no routing
 lag 101
exit

Preview file
71 KB
Preview file
137 KB
the_rock
MVP Platinum
MVP Platinum
2 hours ago
In response to VIKAS1
Jump to solution

Excellent, very happy its working!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events