Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
H4ppyM3
Contributor

R81.20 ClusterXL distribution problem

Dear Checkpoint Community,

 

I’m facing a problem and can’t move forward with it. Current setup is a ClusterXL Act-Act , Load-Sharing Multicast mode ; OS = R81.20.

On the firewall I’ve a Public IP translated to private IP ( normal destination nat ) using https.  Having both nodes up the traffic distribution goes to first fw1 were it get’s nat-ed, leaves via the internal interface and send a SYN to server.  But the respond goes to fw2 were there is no session for it and get’s dropped “first packet isn’t SYN “

 

I’ve already tried to change the tcp 3-way handshake synchronization mode from default value to “smart sync” – did not help. Changing in Global_prop  Stateful inspection setting for tcp out of state drop – did not help, Doing zdebug + drop I'm see also an error like: coockie validation error message. Here I need to mention that IPS is turned off.

Last information, this setup did work correctly on r80.40 version with exact the same settings – problem started in version 81.10 and .20. If you have any suggestions how to proceed, please let me know. Is there a way to hold / stick the session to the gateway who first received the packet from external (internet ) ?  One of my suspicions is that maybe the port nat pool which is divided between the two cluster members get exhausted.

 

Any hint appreciated.

0 Kudos
4 Replies
the_rock
Legend
Legend

I cant recall now where this setting is, but I believe its under cluster properties somewhere in smart console, sticky connections...can you see if thats on or off?

Andy

0 Kudos
Lesley
Leader Leader
Leader

This is correct but from R80.20 it is done with the: Cluster Correction Layer (CCL).

https://support.checkpoint.com/results/sk/sk169154

Is this Maestro or VSX?

VSX example:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Chassis_AdminGuide/Content/T...

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
H4ppyM3
Contributor

it is not vsx or maestro. 2x appliances

0 Kudos
PhoneBoy
Admin
Admin

Strongly suggest a TAC case, especially since this worked in an earlier version.
https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events