Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arthur_DENIS1
Advisor
Advisor
Jump to solution

R82 - lab with ElasticXL

Hello all !

I try to play with R82 ElasticXL lab in vmware env, but I'm stuck in a strange situation...

I read the admin doc, giving me the same way that process writed by @HeikoAnkenbrand:
Solved: R82 – Install ElasticXL Cluster - Check Point CheckMates

However, i get a sort of split brain scenario, and no traffic can pass...

SGM 1_01 show:
--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 15:44:33 hours |
| Members | 1 / 2 ! |
| Version | R82 (Build Number 633) |
| FW Policy Date | 03Jul24 14:29 |
| AMW Policy Date | N/A |
--------------------------------------------------------------------------------
| Member ID Site1 |
| ACTIVE |
--------------------------------------------------------------------------------
| 1 ACTIVE |
| 2 LOST |
--------------------------------------------------------------------------------

And SGM 1_02 show:
--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 16:47 minutes |
| Members | 1 / 2 ! |
| Version | R82 (Build Number 633) |
| FW Policy Date | 03Jul24 14:29 |
| AMW Policy Date | N/A |
--------------------------------------------------------------------------------
| Member ID Site1 |
| ACTIVE |
--------------------------------------------------------------------------------
| 1 LOST |
| 2 ACTIVE |
--------------------------------------------------------------------------------

I try to rebuild this several times but still get the issue...


Any advice ?

1 Solution

Accepted Solutions
Arthur_DENIS1
Advisor
Advisor

Thanks a lot to @ShaiF for this quick fix !

For everyone: we sort out of the issue by disabling promiscuous mode on the sync vlan !

View solution in original post

13 Replies
the_rock
Legend
Legend

Its exact same link I followed as well, but since Israel folks told me that eve-nbg is not supported, I think thats totally fair, as I dont like to waste time on unsupported platforms. Im sure vmware should be though, but maybe someone from CP can verify.

Andy

the_rock
Legend
Legend

Just for context, what does this tab look like for you?

Andy

 

Screenshot_1.png

the_rock
Legend
Legend

K, I sort of figured that was the case. Does it help if you reboot that member?

Andy

Arthur_DENIS1
Advisor
Advisor

Of course I try 😁
But still the same issue...

Trying to add a second site give me the same issue.
With or without JHF13 give me the same issue...

The strange things is that smo auto-cloning is working well for exemple, really strange situation (and I have already deploy somes maestro, so it's not suppose to be totaly new for me 🙂

the_rock
Legend
Legend

Lets see what CP folks say...sorry mate, I got nothing else 😂

Andy

ShaiF
Employee
Employee

Hi,

You need to debug your Sync network.
Please share what's working from SMO

1. ping other member

2. move other member using m command

3. g_all echo 1 (do you see output from all members)

in addition check permission on your vSwitches  and make sure promiscuous mode on reject

 
 

 

Make sure to compare the mac address of eth1-Sync and see on VM it is connected to your sync network on both members

 

Regards,

Shai

 

 

 

Arthur_DENIS1
Advisor
Advisor

Hi,

For information, my SYNC network is a local VLAN on my ESX host, shared only with this 2 SGMs.

 
 


1/ yes ping is working on sync (ping ok between 192.0.2.1 and 192.0.2.2)

2/ not working:
[Expert@ADE-CHKP-R82EA-SMO-s01-01:0]# m 1_02
IP address for member 1_02 is unavailable

3/ g_all is executed only on one member

Thanks for your help here,
Arthur

ShaiF
Employee
Employee

please ack promiscuous mode is enabled on Sync vSwitches. and confirm the mac address on eth1-Sync correlate with the mac on the network adapter connected to your sync network on both members

Arthur_DENIS1
Advisor
Advisor

Yes I confirmed: promiscuous mode is enabled in Sync vlan, and mac address are correlated on both member

Arthur_DENIS1
Advisor
Advisor

in addition - we can see traffic between members over eth1-Sync:
[Expert@ADE-CHKP-R82EA-SMO-s01-02:0]# tcpdump -nni eth1-Sync host 192.0.2.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1-Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:59:27.365392 IP 192.0.2.1.1135 > 192.0.2.255.1135: UDP, length 807
15:59:27.392815 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 614975352:614976800, ack 1404429924, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.392834 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 1448:2896, ack 1, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.392837 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 2896:4344, ack 1, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.393060 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [P.], seq 4344:4654, ack 1, win 29, options [nop,nop,TS val 3941735244 ecr 2301092449], length 310
15:59:27.393335 IP 192.0.2.1.6380 > 192.0.2.2.36379: Flags [.], ack 4654, win 179, options [nop,nop,TS val 2301101025 ecr 3941735243], length 0
15:59:27.393399 IP 192.0.2.1.6380 > 192.0.2.2.36379: Flags [P.], seq 1:23, ack 4654, win 179, options [nop,nop,TS val 2301101025 ecr 3941735243], length 22
15:59:27.393451 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], ack 23, win 29, options [nop,nop,TS val 3941735244 ecr 2301101025], length 0
15:59:28.097169 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 1155514033:1155515481, ack 3414838712, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097241 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 1448:2896, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097247 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 2896:4344, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097252 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [P.], seq 4344:4663, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 319
15:59:28.097601 IP 192.0.2.2.6380 > 192.0.2.1.34456: Flags [.], ack 4663, win 179, options [nop,nop,TS val 3941735948 ecr 2301101729], length 0
15:59:28.097811 IP 192.0.2.2.6380 > 192.0.2.1.34456: Flags [P.], seq 1:23, ack 4663, win 179, options [nop,nop,TS val 3941735949 ecr 2301101729], length 22
15:59:28.097931 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], ack 23, win 29, options [nop,nop,TS val 2301101730 ecr 3941735949], length 0
^C

Arthur_DENIS1
Advisor
Advisor

Thanks a lot to @ShaiF for this quick fix !

For everyone: we sort out of the issue by disabling promiscuous mode on the sync vlan !

the_rock
Legend
Legend

Awesome mate! Thanks for sharing.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events