This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
woee
Participant
‎2022-07-25 11:41 PM
Jump to solution

Sync interface on 80.30 never comes up

Hello,

I have set up a HA cluster (2 gw + 1 mgmt) running 81.10 and everything is working fine. This is running on an ESXi server. When I set up the same cluster but in version 80.30, the sync interface never comes up. The HA cluster actually runs in split brain, as they cannot communicate since the sync interface never comes up. I have tested different configuration settings, but the ClusterXL is always failing to be established.

- I have a /30 subnet on the sync interface, making it a unique sync network (and it is the lowest vlan).
- On Gaia all interfaces are up, I can ping between them just fine to any interface, also the sync interface.
- Access policy contains just 1 rule to allow anything.
- I have the all-in-one evaluation license on all servers.
- In the logs I cannot see anything but the fact that the sync interface is down on both sides.
- Via cpconfig I removed each member (option 6) and joined again after reboot.
- I recreated the sic trust, changed every possible setting for anti-spoofing.
- I removed the cluster object and recreated it again, no effect.
- I used vmxnet3 and E1000 interfaces on the virtual machines.
- I used different subnets and IP addresses, but same result.
- Changed CCP mode to broadcast, unicast, auto, all same result (now it is again auto/unicast).
- ClusterXL is installed on the gateways.
- I used the wizard to create the cluster.
- I reinstalled the servers to be sure but the same result is noticed.

The only way to get the interfaces in an UP state, is when I set the first mgmt interface to cluster+sync. When I do this the interfaces come up (sometimes), but there is still no traffic between them to establish a proper HA cluster.

I am new to Checkpoint and cannot find any other info to troubleshoot further. I've taken a look at the log files, but cannot find a log file about the sync interface and the HA mechanism (not in fwd.elg or messages or any other file). Is there a log file where you can see the servers trying to establish the cluster or why the sync interfaces don't come up for HA? These interfaces are up and working, they just don't do HA.

Is there something obvious I am missing on the 80.30 that is different from the 81.10?

Thank you!
Wouter

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-07-26 12:48 AM
Jump to solution

R80.40 and above is less strict on the requirements...

Do you have all the following in place: sk101214 

CCSM R77/R80/ELITE

View solution in original post

8 Replies
_Val_
Admin
Admin
‎2022-07-26 12:18 AM
Jump to solution

Double check that your clusterID on R80.30 is set to the same number on both cluster members. 

0 Kudos
woee
Participant
‎2022-07-26 01:05 AM
In response to _Val_
Jump to solution

Thanks, great pointing out the clusterid, makes sense if there is a mismatch 2 different clusters will be formed. I don't know how to get this id. Do you know an easy way to verify this on 80.30?

[Expert@FW1:0]# cphaconf cluster_id get
cphaconf cluster_id set\get is not supported in this version.
For more details, please refer to sk25977.

0 Kudos
_Val_
Admin
Admin
‎2022-07-26 01:29 AM
In response to woee
Jump to solution

from clish: 

show cluster mmagic

0 Kudos
woee
Participant
‎2022-07-26 01:31 AM
In response to _Val_
Jump to solution

So what is the clusterID in there?

 

FW1> show cluster mmagic

Configuration mode: Automatic
Configuration phase: Stable

MAC magic: 1
MAC forward magic: 254

Used MAC magic values: None.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-26 12:48 AM
Jump to solution

R80.40 and above is less strict on the requirements...

Do you have all the following in place: sk101214 

CCSM R77/R80/ELITE
woee
Participant
‎2022-07-26 01:07 AM
In response to Chris_Atkinson
Jump to solution

Thank you. When browsing the SKs and forum, I didn't stumble upon this. I verified and most of the 3 settings were rejected. I have reconfigured the sync interface with a port group that has these settings enabled. Immediately, the interfaces came up, the cluster formed and I have a working active/standby setup on 80.30. I was hoping it was not CP related. 

That was fast! Thank you! Saves me at least some hours.

 

_Val_
Admin
Admin
‎2022-07-26 01:29 AM
In response to woee
Jump to solution

@woee great to hear. you can ignore ClusterID then 🙂

0 Kudos
woee
Participant
‎2022-07-26 01:32 AM
In response to _Val_
Jump to solution

Yes, but now I need to know. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events