- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- R82 - lab with ElasticXL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R82 - lab with ElasticXL
Hello all !
I try to play with R82 ElasticXL lab in vmware env, but I'm stuck in a strange situation...
I read the admin doc, giving me the same way that process writed by @HeikoAnkenbrand:
Solved: R82 – Install ElasticXL Cluster - Check Point CheckMates
However, i get a sort of split brain scenario, and no traffic can pass...
SGM 1_01 show:
--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 15:44:33 hours |
| Members | 1 / 2 ! |
| Version | R82 (Build Number 633) |
| FW Policy Date | 03Jul24 14:29 |
| AMW Policy Date | N/A |
--------------------------------------------------------------------------------
| Member ID Site1 |
| ACTIVE |
--------------------------------------------------------------------------------
| 1 ACTIVE |
| 2 LOST |
--------------------------------------------------------------------------------
And SGM 1_02 show:
--------------------------------------------------------------------------------
| System Status - ElasticXL |
--------------------------------------------------------------------------------
| Up time | 16:47 minutes |
| Members | 1 / 2 ! |
| Version | R82 (Build Number 633) |
| FW Policy Date | 03Jul24 14:29 |
| AMW Policy Date | N/A |
--------------------------------------------------------------------------------
| Member ID Site1 |
| ACTIVE |
--------------------------------------------------------------------------------
| 1 LOST |
| 2 ACTIVE |
--------------------------------------------------------------------------------
I try to rebuild this several times but still get the issue...
Any advice ?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot to @ShaiF for this quick fix !
For everyone: we sort out of the issue by disabling promiscuous mode on the sync vlan !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its exact same link I followed as well, but since Israel folks told me that eve-nbg is not supported, I think thats totally fair, as I dont like to waste time on unsupported platforms. Im sure vmware should be though, but maybe someone from CP can verify.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for context, what does this tab look like for you?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, I sort of figured that was the case. Does it help if you reboot that member?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course I try 😁
But still the same issue...
Trying to add a second site give me the same issue.
With or without JHF13 give me the same issue...
The strange things is that smo auto-cloning is working well for exemple, really strange situation (and I have already deploy somes maestro, so it's not suppose to be totaly new for me 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lets see what CP folks say...sorry mate, I got nothing else 😂
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You need to debug your Sync network.
Please share what's working from SMO
1. ping other member
2. move other member using m command
3. g_all echo 1 (do you see output from all members)
in addition check permission on your vSwitches and make sure promiscuous mode on reject
Make sure to compare the mac address of eth1-Sync and see on VM it is connected to your sync network on both members
Regards,
Shai
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
For information, my SYNC network is a local VLAN on my ESX host, shared only with this 2 SGMs.
1/ yes ping is working on sync (ping ok between 192.0.2.1 and 192.0.2.2)
2/ not working:
[Expert@ADE-CHKP-R82EA-SMO-s01-01:0]# m 1_02
IP address for member 1_02 is unavailable
3/ g_all is executed only on one member
Thanks for your help here,
Arthur
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please ack promiscuous mode is enabled on Sync vSwitches. and confirm the mac address on eth1-Sync correlate with the mac on the network adapter connected to your sync network on both members
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I confirmed: promiscuous mode is enabled in Sync vlan, and mac address are correlated on both member
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in addition - we can see traffic between members over eth1-Sync:
[Expert@ADE-CHKP-R82EA-SMO-s01-02:0]# tcpdump -nni eth1-Sync host 192.0.2.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1-Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:59:27.365392 IP 192.0.2.1.1135 > 192.0.2.255.1135: UDP, length 807
15:59:27.392815 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 614975352:614976800, ack 1404429924, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.392834 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 1448:2896, ack 1, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.392837 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], seq 2896:4344, ack 1, win 29, options [nop,nop,TS val 3941735243 ecr 2301092449], length 1448
15:59:27.393060 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [P.], seq 4344:4654, ack 1, win 29, options [nop,nop,TS val 3941735244 ecr 2301092449], length 310
15:59:27.393335 IP 192.0.2.1.6380 > 192.0.2.2.36379: Flags [.], ack 4654, win 179, options [nop,nop,TS val 2301101025 ecr 3941735243], length 0
15:59:27.393399 IP 192.0.2.1.6380 > 192.0.2.2.36379: Flags [P.], seq 1:23, ack 4654, win 179, options [nop,nop,TS val 2301101025 ecr 3941735243], length 22
15:59:27.393451 IP 192.0.2.2.36379 > 192.0.2.1.6380: Flags [.], ack 23, win 29, options [nop,nop,TS val 3941735244 ecr 2301101025], length 0
15:59:28.097169 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 1155514033:1155515481, ack 3414838712, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097241 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 1448:2896, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097247 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], seq 2896:4344, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 1448
15:59:28.097252 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [P.], seq 4344:4663, ack 1, win 29, options [nop,nop,TS val 2301101729 ecr 3941727387], length 319
15:59:28.097601 IP 192.0.2.2.6380 > 192.0.2.1.34456: Flags [.], ack 4663, win 179, options [nop,nop,TS val 3941735948 ecr 2301101729], length 0
15:59:28.097811 IP 192.0.2.2.6380 > 192.0.2.1.34456: Flags [P.], seq 1:23, ack 4663, win 179, options [nop,nop,TS val 3941735949 ecr 2301101729], length 22
15:59:28.097931 IP 192.0.2.1.34456 > 192.0.2.2.6380: Flags [.], ack 23, win 29, options [nop,nop,TS val 2301101730 ecr 3941735949], length 0
^C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot to @ShaiF for this quick fix !
For everyone: we sort out of the issue by disabling promiscuous mode on the sync vlan !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome mate! Thanks for sharing.
Andy