Solved: Re: R82 elasticXL lab - Page 2

the_rock · ‎2024-07-01

Hey boys and girls, ladies and gents,

I built R82 elasticXL lab and though I followed below link by @HeikoAnkenbrand , not sure if I cant make it work cause Im using eveNG or for what reason, but I created 2 separate elasticxl instances, but clustering part fails for some reason, so if anyone has an idea, happy to hear it 🙂

I could care less if this lab breaks, its super easy to rebuid anyway.

This is the link I was referring to. I also attached some screenshots and outputs.

Andy

https://community.checkpoint.com/t5/Security-Gateways/R82-Install-ElasticXL-Cluster/td-p/206235

[Expert@CP-EXL-1-s01-01:0]# cphaprob state

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 100% ACTIVE(P) CP-EXL-1-s01-01

Active PNOTEs: None

Last member state change event:
Event Code: CLUS-114904
State change: ACTIVE(!) -> ACTIVE
Reason for state change: Reason for ACTIVE! alert has been resolved
Event time: Mon Jul 1 19:40:49 2024
[Expert@CP-EXL-1-s01-01:0]#

[Expert@CP-EXL-02-s01-01:0]# asg monitor
Mon Jul 01 20:44:20 EDT 2024

^C
[Expert@CP-EXL-02-s01-01:0]#

[Expert@CP-EXL-02-s01-01:0]# cphaprob -a if

CCP mode: Automatic

Interface Name: Status:

eth2 UP
eth3 UP
Sync (S) UP
magg1 (LS) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

[Expert@CP-EXL-1-s01-01:0]#
[Expert@CP-EXL-1-s01-01:0]# cphaprob -a if

CCP mode: Automatic

Interface Name: Status:

eth2 UP
eth3 UP
Sync (S) UP
magg1 (LS) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 5

lo 127.0.0.1
eth2 192.168.10.238
eth3 169.254.0.238
Sync 192.0.2.1
magg1 172.16.10.238

[Expert@CP-EXL-1-s01-01:0]#

Virtual cluster interfaces: 5

lo 127.0.0.1
eth2 192.168.10.237
eth3 169.254.0.237
Sync 192.0.2.1
magg1 172.16.10.237

[Expert@CP-EXL-02-s01-01:0]#

And since elasticxl cluster object does NOT have an option to add cluster members, there is something obvious Im missing, but cant figure out what, so will check it later.

Andy

genisis__ · ‎2025-02-10

We ended up setting the Image to Redhat 6, so there is clearly a setting in Redhat 8 (in ESXi) which needs to be altered.

Bob_Zimmerman · ‎2025-02-10

RHEL 8 supports Secure Boot, so the vmx preset in ESXi probably enables it in the boot ROM options. A preset for RHEL 7 would probably also work.

genisis__ · ‎2025-02-10

Thanks Bob.

Yasushi_Kono1 · ‎2024-11-05

Hi ShaiF,

after having configured everything as described, I have got the 192.0.2.254 address on eth1. However, if I insert the command
add cluster member method request-id identifier xxxxxxxxxxxxxxxxxxxxxxxx site-id 1 format json

then I get the message info:
"message" : "No info for request-id with value xxxxxxxxxxxxxxxxxxxxxxxxxxxx",

How could this problem be resolved? Any hints?

Thanks in advance!

I try to do the configuration on a cloud-based lab environment specifically desgined for our CP classes (skillable).

ShaiF · ‎2024-11-05

Hi @Yasushi_Kono1,

have you tried the simpler way to add member using hostname / serial-number?

can you share the output of 'show cluster info provisioning' or 'show cluster info" from gclish?
BTW: you do not need to put XXX on the request-id value as it is public key, no one can do nothing with it and it meant to be exposed. the private key is on the member you want to join so he's the only one who can join the cluster if you are using request-id as method
Regards,

Shai.

Yasushi_Kono1 · ‎2024-11-05

Thank you for your prompt response.

I have added screen shots to clarify the issue. I tried that via Serial Number as well as the Request-ID.

I would expect to see the other node by typing "show cluster info provision" but this is not the case.

ShaiF · ‎2024-11-05

Hi @Yasushi_Kono1,

If you do not see the member in the show cluster info provisioning or show cluster it means SMO not earing new member and there is no use to continue and add it using any of the method.

you first need to check your connectivity. try ping from smo to 192.0.2.254 and from new member to SMO (192.0.2.1)

in addition see if you get udp traffic from 192.0.2.254 on port 1135 on SMO tcpdump -nnni Sync port 1135

VMs can build interfaces in boot time not in the right order. in most cases you need to match the mac on eth1 for example to the network adapter mac on the VM hypervisor settings and see it indeed connected to your Sync network.

you need to check as well on SMO (to get the original mac on Sync use ethtool -i Sync)

Regards,

Shai.

Yasushi_Kono1 · ‎2024-11-07

Hi Shai,

thank you for your response. In the meanwhile, I could get it run by re-installing the SMO from scratch.

That led me to another question: Is it possible to change the interface designation for the Sync interface, since eth1 is the expected interface for this. How can I swap to let's say eth4?

Thanks a lot again!

Kind regards,
Yasushi

ShaiF · ‎2024-11-10

HI @Yasushi_Kono1

If we're talking on VM then the best solution is to go to your VM setting and edit the network adapters.

there is also option to edit this file on the gw (per member):
/etc/sp_core/conf/vm_mapping.csv
so in your case content will be:
eth0 Mgmt
eth1 eth1
eth2 eth2

eth3 eth3

eth4 eth1-Sync

Regards,

Shai.

Yasushi_Kono1 · ‎2024-11-13

Hi Shai,

Thanks a lot for your valuable information. So, do you have to configure this file before running the FTW?

I will try that right away! You made my day!

Kind regards,
Yasushi

David_Robinson · ‎2024-12-03

Hi ShaiF

I'm trying to get ElasticXL working on a 3200 check point appliance. is there a work around to get it working on an appliance without a dedicated Sync port?

I have tried renaming eth1 to Sync by modifying

/etc/udev/rules.d/00-PB-10-00.rules

The first member is not seeing the second waiting to be provisioned.

emmap · ‎2024-12-03

Per the R82 release notes, the 3000 series appliances don't support ElasticXL. Nor do 5100 or 5200.

Then again, they also say it's not supported on VMs, but it works for lab purposes so there may be a workaround. You can maybe try that file that Shai mentioned a couple of posts up?

ShaiF · ‎2024-12-03

Hi @David_Robinson ,
The best solution is to rename eth0 and eth1 to -Mgmt and Sync (in the udev file). after reboot if you have this interfaces, you will need to re-register the detection daemon by running:
#

dbset process:exl_detectiond t
dbset :save

Do it on both members (before you run FTW on SMO). In this case appliances will fresh load with Mgmt and Sync, detection daemon will run and all should be good (did not tested myself but should be :)).
Regards,

Shai.

faridb

Hi dear expert,

i followed all the steps including the python trick , from SMO i can ping the 2nd member ip 192.0.2.254 and from the member ip 192.0.2.1 .

I can see traffic from UDP port 1135 requests and replies

from SMO , i now can see an available gateway from show cluster info provision

but it seems to be the SMO ??? not the 2nd member

maybe i missed something

any ideas ?

thx,

the_rock

Can you send the output/screenshot?

Andy

faridb

Capture d’écran du 2025-03-21 01-38-41.png

the_rock

Let me see if I can check in the morning, since lab where I have elastcxl is not available now, sorry : - (

Andy

faridb

sure , dude !

i will be glad to make it work

Fyi, i deployed the lab using the latest iso file

the_rock

Im 100% positive iso is not your issue 🙂

Andy

faridb

Capture d’écran du 2025-03-21 01-47-44.png

faridb

hi ,

Can you help me understand why i did not get the option to initialize the EXL cluster on the 1st setup wizard but only a checkbox to make this gw member of a clusterXL ?

i'm running R82 on eve-ng Platform

Regards

Bob_Zimmerman · ‎2024-12-28

R82 offers to let you build an ElasticXL cluster out of a 3000-series unit, but it fails in rather spectacular fashion. Gets stuck in a boot loop which needs hands on to fix. You never get the boot menu, so you can't revert to factory defaults without someone cycling power. I get that ElasticXL isn't supported on the 3000-series boxes, but the UI offers it up. It's even the default cluster method for them unless you go out of your way to specify ClusterXL. I expect this will bite a LOT of people when boxes start shipping with R82 by default.

While it's not supported, it's possible to set up an ElasticXL cluster for lab use on a pair of 3000-series boxes. I've only tested it on 3600s, since that's what I physically have, but they're all identical in almost all of the ways which matter for this. To build the first member and set up the cluster:

Install R82 (or some later version, I assume)
Boot the system
Connect via console
Edit /etc/udev/rules.d/00-QB-10-00.rules (3600 and 3800 are QB-10; the file for a 3100 or 3200 is 00-PB-10-00.rules)
1. Replace "eth1" with "Sync"
Reboot
Run the commands to make exl_detectiond check the system again
1. dbset process:exl_detectiond t
2. dbset :save
3. tellpm process:exl_detectiond t
Edit /etc/udev/rules.d/00-QB-10-00.rules
1. Replace "Sync" with "eth1-Sync"
2. Do not reboot!
Run the first-time wizard or apply config_system. Be sure to select the ElasticXL clustering method.
Once the system is configured, you will need to run 'add bonding group 1 interface Mgmt' in gclish.

To add another member, you follow steps 1-6, then have one of the working members accept the new member's join request.

Incidentally, a 3600 (or cluster of them, or probably a cluster of 3100 units, 3200 units, or 3800 units) can also run VSNext this way. I haven't yet tried, but I bet it would even work on a 2200, which uses the file 00-T-110-00.rules.

Machine_Head · ‎2025-01-29

Regarding the interface names, this worked for me on VmWare:

> set interface-name by-name eth0 to Sync

Might be a new clish command

Bob_Zimmerman · ‎2025-01-29

That command has existed since at least R80.40 (I don't have anything earlier to check). Only works on open servers and VMs, though.

Are you a member of CheckMates?

R82 elasticXL lab