Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

R82 elasticXL lab

Hey boys and girls, ladies and gents,

I built R82 elasticXL lab and though I followed below link by @HeikoAnkenbrand , not sure if I cant make it work cause Im using eveNG or for what reason, but I created 2 separate elasticxl instances, but clustering part fails for some reason, so if anyone has an idea, happy to hear it 🙂

I could care less if this lab breaks, its super easy to rebuid anyway. 

This is the link I was referring to. I also attached some screenshots and outputs.

Andy

https://community.checkpoint.com/t5/Security-Gateways/R82-Install-ElasticXL-Cluster/td-p/206235

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

 

[Expert@CP-EXL-1-s01-01:0]# cphaprob state

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 100% ACTIVE(P) CP-EXL-1-s01-01


Active PNOTEs: None

Last member state change event:
Event Code: CLUS-114904
State change: ACTIVE(!) -> ACTIVE
Reason for state change: Reason for ACTIVE! alert has been resolved
Event time: Mon Jul 1 19:40:49 2024
[Expert@CP-EXL-1-s01-01:0]#

 

[Expert@CP-EXL-02-s01-01:0]# asg monitor
Mon Jul 01 20:44:20 EDT 2024

--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 39:27 minutes |
| Members | 1 / 1 |
| Version | R82 (Build Number 633) |
Mon Jul 01 20:44:21 EDT 2024
--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 39:29 minutes |
| Members | 1 / 1 |
| Version | R82 (Build Number 633) |
| FW Policy Date | 01Jul24 20:38 |
| AMW Policy Date | N/A |
--------------------------------------------------------------------------------
| Member ID Site1 |
| ACTIVE |
--------------------------------------------------------------------------------
| 1 ACTIVE |
--------------------------------------------------------------------------------


^C
[Expert@CP-EXL-02-s01-01:0]#

 

[Expert@CP-EXL-02-s01-01:0]# cphaprob -a if

CCP mode: Automatic

Interface Name: Status:

eth2 UP
eth3 UP
Sync (S) UP
magg1 (LS) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

 

 

[Expert@CP-EXL-1-s01-01:0]#
[Expert@CP-EXL-1-s01-01:0]# cphaprob -a if

CCP mode: Automatic

Interface Name: Status:

eth2 UP
eth3 UP
Sync (S) UP
magg1 (LS) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 5

lo 127.0.0.1
eth2 192.168.10.238
eth3 169.254.0.238
Sync 192.0.2.1
magg1 172.16.10.238

[Expert@CP-EXL-1-s01-01:0]#

 

 

Virtual cluster interfaces: 5

lo 127.0.0.1
eth2 192.168.10.237
eth3 169.254.0.237
Sync 192.0.2.1
magg1 172.16.10.237

[Expert@CP-EXL-02-s01-01:0]#

 

And since elasticxl cluster object does NOT have an option to add cluster members, there is something obvious Im missing, but cant figure out what, so will check it later.

 

Andy

 

 

Screenshot_1.png

 

 

 

0 Kudos
37 Replies
Yasushi_Kono1
Contributor
Contributor
 

Thank you for your prompt response.

I have added screen shots to clarify the issue. I tried that via Serial Number as well as the Request-ID. 

I would expect to see the other node by typing "show cluster info provision" but this is not the case.

0 Kudos
ShaiF
Employee
Employee

Hi @Yasushi_Kono1,

If you do not see the member in the show cluster info provisioning or show cluster it means SMO not earing new member and there is no use to continue and add it using any of the method.

you first need to check your connectivity. try ping from smo to 192.0.2.254 and from new member to SMO (192.0.2.1)

in addition see if you get udp traffic from 192.0.2.254 on port 1135 on SMO tcpdump -nnni Sync port 1135

VMs can build interfaces in boot time not in the right order. in most cases you need to match the mac on eth1 for example to the network adapter mac on the VM hypervisor settings and see it indeed  connected to your Sync network.

you need to check as well on SMO (to get the original mac on Sync use ethtool -i Sync)

Regards,

Shai.

0 Kudos
Yasushi_Kono1
Contributor
Contributor

Hi Shai,

thank you for your response. In the meanwhile, I could get it run by re-installing the SMO from scratch.

That led me to another question: Is it possible to change the interface designation for the Sync interface, since eth1 is the expected interface for this. How can I swap to let's say eth4?

Thanks a lot again!

Kind regards,
Yasushi

 

0 Kudos
ShaiF
Employee
Employee

HI @Yasushi_Kono1 

If we're talking on VM then the best solution is to go to your VM setting and edit the network adapters.

there is also option to edit this file on the gw (per member):
/etc/sp_core/conf/vm_mapping.csv
so in your case content will be:
eth0 Mgmt
eth1 eth1
eth2 eth2

eth3 eth3

eth4 eth1-Sync

 

Regards,

Shai.

Yasushi_Kono1
Contributor
Contributor

Hi Shai,

 

Thanks a lot for your valuable information. So, do you have to configure this file before running the FTW?

I will try that right away! You made my day!

 

Kind regards,
Yasushi

0 Kudos
David_Robinson
Contributor
Contributor

Hi ShaiF

 

I'm trying to get ElasticXL working on a 3200 check point appliance. is there a work around to get it working on an appliance without a dedicated Sync port?

 

I have tried renaming eth1 to Sync by modifying 

/etc/udev/rules.d/00-PB-10-00.rules

 

The first member is not seeing the second waiting to be provisioned.

0 Kudos
emmap
Employee
Employee

Per the R82 release notes, the 3000 series appliances don't support ElasticXL. Nor do 5100 or 5200. 

Then again, they also say it's not supported on VMs, but it works for lab purposes so there may be a workaround. You can maybe try that file that Shai mentioned a couple of posts up?

0 Kudos
ShaiF
Employee
Employee

Hi @David_Robinson ,
The best solution is to rename eth0 and eth1 to -Mgmt and Sync (in the udev file). after reboot if you have this interfaces, you will need to re-register the detection daemon by running:
#

dbset process:exl_detectiond t
dbset :save

 

Do it on both members (before you run FTW on SMO). In this case appliances will fresh load with Mgmt and Sync, detection daemon will run and all should be good (did not tested myself but should be :)).
Regards,

Shai.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events