This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-03-16 08:25 PM
Jump to solution

VIP Cluster not reply ping, ssh, web, etc...

Hello Mates!

I deploy a new Cluster and SMS and this cluster has 2 interfaces(eth0 and eth1):

eth0(member1 - 172.31.1.2, member2 - 172.31.1.3, VIP - 172.31.1.1)

eth1(member1 - 172.31.0.8, member2 - 172.31.0.9, VIP - 172.31.0.10)

When I ping physical interfaces (.8 and .9 or .3 and .4) it replies normally and I can access ssh and web portal from that, but when I try to ping or access the VIP (.10 or .1) it does not respond. This is a brand new environment. I deploy many others and I didn't have to make any changes for it to work.

Any advice to make it work?

 

This is a distributed Cluster(2 members HA Active/Standby) + SMS R81.10 JHF take 87 all open servers Virtual appliances

Thank you!

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Gold
MVP Gold
‎2023-03-17 12:54 AM
Jump to solution

See sk102118:
It is not possible to ping or connect over SSH to ClusterXL VIP address

or sk106425:
Connections through cluster to physical IP address of ClusterXL Standby member / VRRP Backup member ... 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
11 Replies
HeikoAnkenbrand
MVP Gold
MVP Gold
‎2023-03-17 12:54 AM
Jump to solution

See sk102118:
It is not possible to ping or connect over SSH to ClusterXL VIP address

or sk106425:
Connections through cluster to physical IP address of ClusterXL Standby member / VRRP Backup member ... 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Bernardes
Advisor
Advisor
‎2023-03-17 02:01 PM
In response to HeikoAnkenbrand
Jump to solution

Hello @HeikoAnkenbrand 

 

I tried this sks, but nothing changed. In my LAB I noticed that sometimes the VIP reply ping and sometimes don't on eth0. In eth1 I can ping VIP and interfaces IPs simultaneously normally. I'm not sure why it occurs. Any advice? Other than those already mentioned

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-03-18 12:57 AM
In response to Bernardes
Jump to solution

From where you are trying to reach VIPs ?

Do you see any drops on Active member using following command (from expert) while initiating the traffic ?

fw ctl zdebug + drop | grep 172.31.1.

Kind regards,
Jozko Mrkvicka
0 Kudos
Bernardes
Advisor
Advisor
‎2023-03-18 03:52 PM
In response to JozkoMrkvicka
Jump to solution

@JozkoMrkvickaI tried to access it from the same subnet of each interface. In the case of my lab, from the 172.12.10(eth1) I can ping simultaneously interfaces IP and the VIP, but from the 192.168.10(eth) sometimes I can ping the VIP and sometimes dont.

In the case of customer environment nither interface ping the VIP, but I can access by SSH for example.

 

No drops on zdebug.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-18 05:54 AM
In response to HeikoAnkenbrand
Jump to solution

Hm, I dont think thats 100% accurate. I have R81.10 cluster lab and I can perfectly ping and ssh into VIP. No changes were ever made to any files to make that work.

0 Kudos
Bernardes
Advisor
Advisor
‎2023-03-18 04:01 PM
In response to the_rock
Jump to solution

@the_rockIndeed this is very weird. I already made labs in other times that no were need changes to work it too.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-18 04:32 PM
In response to Bernardes
Jump to solution

I agree. Let me see if I can verify it in lab Monday.

Bernardes
Advisor
Advisor
‎2023-03-19 09:29 AM
In response to the_rock
Jump to solution

I'm very grateful for your help as always @the_rock !

the_rock
MVP Gold
MVP Gold
‎2023-03-19 09:41 AM
In response to Bernardes
Jump to solution

I will check with my colleague tomorrow if I can turn 4 CP vm's back on, as we needed to turn them off for some Aruba testing. If I can, we can circle back and I will update you.

Cheers mate.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-19 02:56 PM
In response to Bernardes
Jump to solution

Always willing to help the best I can @Bernardes , my pleasure mate.

0 Kudos
Iamerror404
Explorer
‎2023-09-07 07:41 AM
Jump to solution

Hello Mates,

I had a similar issue as Bernardes but was able to resolve it. 

What I have done is to reinitiate the SIC and copy topology to interfaces. After that, I was able to ping the VIP.

I hope it helps.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events