Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KostasGR
Advisor

How to manually force split brain on VSes with 2 VSXes on VSLS mode

Hello 

Is any way  to manually force split brain on 2 VSes created on 2 VSXes on VSLS mode?

I want to achieve 2 VSes active on VSXA and the same 2 VSes active on VSXB in a lab environment.

BR,
Kostas

 

0 Kudos
11 Replies
genisis__
Leader Leader
Leader

I'm pretty sure the answer is no.

 

You can certainly load share between different VSX Nodes but you can't have any one VS active on two different nodes, at least too my knowledge.

If you want true resource balancing then perhaps Maestro may be a better option.

 

Another idea, would be to have two different VS's using the same policy file but perhaps an external load balancing to share the load (a bit over kill, but could also be an option with some design considerations).

0 Kudos
Vladimir
Champion
Champion

I do not think that you can selectively achieve that, but to have all VSes running in split brain, move the networks of one of the unit to the separate vSwitches, (loose the sync) and reboot the unit.

In theory, it'll come up looking for other cluster member and, not finding one, run VSes to Active mode.

0 Kudos
Bob_Zimmerman
Authority
Authority

If there are other VSs which you don't want to try to become active on both members, this isn't possible. Sync and cluster monitoring on VSX is a whole-box thing.

If you're okay with all VSs trying to become active on two or more members, you just have to prevent those members from seeing each other.

0 Kudos
KostasGR
Advisor

Hello all

Finally i have managed to cause split brain by preventing those members from seeing each other.

Apart from preventing VSes to see each other through their interfaces (inside,outside,DMZ etc) I had to disable SYNC connectivity and also shutdown the management interface of the 2 VSXes. By disabling the management interfaces of the 2 VSXes i had no logging towards the log server (management server),

BR,

Kostas 

0 Kudos
genisis__
Leader Leader
Leader

What is achieved by this outside a lab?  In a production environment you could not really do the above and most certainly Checkpoint would not support it.

 

 

KostasGR
Advisor

A DR scenario that cuts layer 2 connectivity between MAIN DC and REMOTE DC for example. Why Check point wouldn't support it?

0 Kudos
genisis__
Leader Leader
Leader

I don't believe this is a supported scenario, but Checkpoint would be better to respond.   

Kaspars_Zibarts
Employee Employee
Employee

Technically if VSX nodes lose L2 completely then both will become Active as they will assume that other node is dead based on clustering protocol. So your two DCs should continue to work independently. Obviously you won't be able to manage them i.e push rules our routing. But I suggest you test in the lab

Bob_Zimmerman
Authority
Authority

That depends. Other problems such as monitored interfaces which don't have anything available to ping (e.g, a new highest VLAN or lowest VLAN which doesn't have any endpoints on it yet) can cause both members to refuse to become active because they each think they are the device with the failure.

Spanning layer 2 between datacenters is a really bad idea.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Hehe. There are lots of bad ideas @Bob_Zimmerman  but in reality you are forced to accept legacy solutions that take years to move on from 🙂 

0 Kudos
Bob_Zimmerman
Authority
Authority

I've personally seen more people trying to span layer 2 between datacenters in each of the last five years than I had even heard about in the ten years before. It's a recent phenomenon. People need to be told it's a terrible idea which will lead to awful problems.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events