Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
melcu
Participant
Participant

Standby member no internet

Hi Mates,

So it's been discussed a lot but my story is a little bit different.  I have a client with a bunch of Active/Standby ClusterXL  clusters in which the Standby member cannot access he internet at all.

Long story short: I almost ran out of search keywords in this forum and on google regarding the issue. First of all, sk43807 was followed line-by-line with no luck. then fwha_forw_packet_to_not_active 1/0 - no change at all and this is why!  - please see the diagram. There is more than 1 interface but you get the picture.

Both members are running only on private IP addresses.  All traffic is NAT hidden behind a public IP address and the CORE router knows to route the /32 of that public IP address to the VIP address of the cluster.  When the ACTIVE node (doesn't matter, fw1 or fw2) sends any packets it's NAT-ed behind that public IP address and sent on it's way. The return traffic is forwarded by the router to the VIP which and everything works (as VIP is bounded to the Active member).

 

When the Standby member tries to access everything I can see (and I'm very sorry but I cannot put real captures here due to IP address privacy)  that packets that originates from Standby  are forwarded to the Active member over the SYNC interface. The Active member then matches the traffic to it's rulebase, applies NAT and packets go out to CORE and then to internet. The return traffic is funny. It arrives on the Active member and there vanishes. It's not dropped (fw ctl zdebug +drop) , it simple vanishes and is not forwarded to the Standby member (which is a function by design I presume).

So eventually I've lost all my hops in making this work.

Any help or guidance will really be apreciated.

 

Wish all the best,

0 Kudos
34 Replies
the_rock
Legend
Legend

Super useful! Btw, to make those values permanent, you would need to add them to fwkern.conf file in $FWDIR/boot/modules dir

ScottF
Explorer

absolutely. commands I'm running to add to the kwkern.conf file:
fw ctl set -f int fwha_silent_standby_mode '0'
fw ctl set -f int fwha_forw_packet_to_not_active '1'
fw ctl set -f int fwha_cluster_hide_active_only '0'
fw ctl set -f int ccl_force_use_ccp '1'

to verify results: cat $FWDIR/boot/modules/fwkern.conf 
fwha_silent_standby_mode=0
fwha_forw_packet_to_not_active=1
fwha_cluster_hide_active_only=0
ccl_force_use_ccp=1

a reboot is required for file change to go into effect.

0 Kudos
melcu
Participant
Participant

Oh wow!

I have tested with the client and:

 

fwha_silent_standby_mode=0
fwha_forw_packet_to_not_active=1
fwha_cluster_hide_active_only=0
ccl_force_use_ccp=1

 

Broke everything 🙂 Even the active member.  I think there's something with the CORE router but as I cannot have a "tcpdump" or a capture from that one I honestly don't have any idea of what's wrong 😞 It kind of frustration as I cannot help them and not even TAC can help.

Still researching...

0 Kudos
Andrejs__Андрей
Contributor

is at client config used vmac (at CheckPoint config)?
if yes, please look to disable that...


regards,
Andrey.

0 Kudos
Andrejs__Андрей
Contributor

you are welcome!


regards,
Andrey.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events