This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KostasGR
Advisor
‎2022-06-02 12:06 PM

How to manually force split brain on VSes with 2 VSXes on VSLS mode

Hello 

Is any way  to manually force split brain on 2 VSes created on 2 VSXes on VSLS mode?

I want to achieve 2 VSes active on VSXA and the same 2 VSes active on VSXB in a lab environment.

BR,
Kostas

 

0 Kudos
11 Replies
genisis__
MVP Silver
MVP Silver
‎2022-06-02 12:30 PM

I'm pretty sure the answer is no.

 

You can certainly load share between different VSX Nodes but you can't have any one VS active on two different nodes, at least too my knowledge.

If you want true resource balancing then perhaps Maestro may be a better option.

 

Another idea, would be to have two different VS's using the same policy file but perhaps an external load balancing to share the load (a bit over kill, but could also be an option with some design considerations).

0 Kudos
Vladimir
Champion
Champion
‎2022-06-02 12:53 PM

I do not think that you can selectively achieve that, but to have all VSes running in split brain, move the networks of one of the unit to the separate vSwitches, (loose the sync) and reboot the unit.

In theory, it'll come up looking for other cluster member and, not finding one, run VSes to Active mode.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-06-02 01:54 PM

If there are other VSs which you don't want to try to become active on both members, this isn't possible. Sync and cluster monitoring on VSX is a whole-box thing.

If you're okay with all VSs trying to become active on two or more members, you just have to prevent those members from seeing each other.

0 Kudos
KostasGR
Advisor
‎2022-06-07 01:14 AM
In response to Bob_Zimmerman

Hello all

Finally i have managed to cause split brain by preventing those members from seeing each other.

Apart from preventing VSes to see each other through their interfaces (inside,outside,DMZ etc) I had to disable SYNC connectivity and also shutdown the management interface of the 2 VSXes. By disabling the management interfaces of the 2 VSXes i had no logging towards the log server (management server),

BR,

Kostas 

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2022-06-07 01:18 AM
In response to KostasGR

What is achieved by this outside a lab?  In a production environment you could not really do the above and most certainly Checkpoint would not support it.

 

 

KostasGR
Advisor
‎2022-06-07 02:46 AM
In response to genisis__

A DR scenario that cuts layer 2 connectivity between MAIN DC and REMOTE DC for example. Why Check point wouldn't support it?

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2022-06-07 02:54 AM
In response to KostasGR

I don't believe this is a supported scenario, but Checkpoint would be better to respond.   

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-06-07 04:51 AM
In response to genisis__

Technically if VSX nodes lose L2 completely then both will become Active as they will assume that other node is dead based on clustering protocol. So your two DCs should continue to work independently. Obviously you won't be able to manage them i.e push rules our routing. But I suggest you test in the lab

Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-06-07 05:21 AM
In response to Kaspars_Zibarts

That depends. Other problems such as monitored interfaces which don't have anything available to ping (e.g, a new highest VLAN or lowest VLAN which doesn't have any endpoints on it yet) can cause both members to refuse to become active because they each think they are the device with the failure.

Spanning layer 2 between datacenters is a really bad idea.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-24 12:18 AM
In response to Bob_Zimmerman

Hehe. There are lots of bad ideas @Bob_Zimmerman  but in reality you are forced to accept legacy solutions that take years to move on from 🙂 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-07-24 06:36 AM
In response to Kaspars_Zibarts

I've personally seen more people trying to span layer 2 between datacenters in each of the last five years than I had even heard about in the ten years before. It's a recent phenomenon. People need to be told it's a terrible idea which will lead to awful problems.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events