This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Quentin_Antrim
Participant
‎2021-08-13 08:34 AM
Jump to solution

VLAN subinterface not participating in HA

Have an issue with VLAN subinterfaces not participating in HA.

R80.10, HW 6500 qty 2 running in active/active

I've got 3 VLAN subinterfaces on eth1-04: 

eth1-04.200

eth1-04.300

eth1-04.500

Prior to yesterday, eth1-04.200 and eth1-04.300 were the only existing subinterfaces and they both were participating in HA.   Yesterday, I set up new VLAN subinterface eth1-04.500 in Gaia and as a Cluster interfaces in FW gateway object, etc.

Afterwards, eth1-04.500 was not showing up in HA at either command line or in SmartConsole "Gateways & Servers". 

Decided to go ahead and individually reboot the two enforcement points as a hopefully simple way to clear that up, and they had been up for a long time so wanted to refresh anyway.  

Afterwards, eth1-04.500 did begin to show up in HA, but then eth1-04.300 stopped showing up in HA.  Further reboot and policy pushes do not change this.

Here is cphaprob -a if from one gateway:

[Expert@chw_pbx_bbfw1:0]# cphaprob -a if

Required interfaces: 4
Required secured interfaces: 1

Sync UP sync(secured), multicast
bond41 UP non sync(non secured), multicast, bond Load Sharing
eth1-04 UP non sync(non secured), multicast (eth1-04.500)
eth1-04 UP non sync(non secured), multicast (eth1-04.200)

Virtual cluster interfaces: 4

bond41 10.150.2.188
eth1-04.500 10.5.1.21
eth1-04.200 10.2.0.1
eth1-04.300 10.3.6.49

Any idea what happened?

Thanks.

Q (Quentin)

 

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2021-08-13 09:48 AM
Jump to solution

By default, Check Point only monitors the highest VLAN ID and the lowest VLAN ID on each interface. The other interfaces still get cluster VIPs, as you can see in your 'cphaprob -a if' output, but they don't get CCP heartbeats. After all, the infrastructure between the firewalls on all of those interfaces is all but guaranteed to be the same, so more CCP would just waste more of the interface's time slots. Imagine the overhead of sending heartbeats on each of 500 VLAN IDs on a given interface.

View solution in original post

3 Replies
Bob_Zimmerman
Authority
Authority
‎2021-08-13 09:48 AM
Jump to solution

By default, Check Point only monitors the highest VLAN ID and the lowest VLAN ID on each interface. The other interfaces still get cluster VIPs, as you can see in your 'cphaprob -a if' output, but they don't get CCP heartbeats. After all, the infrastructure between the firewalls on all of those interfaces is all but guaranteed to be the same, so more CCP would just waste more of the interface's time slots. Imagine the overhead of sending heartbeats on each of 500 VLAN IDs on a given interface.

Quentin_Antrim
Participant
‎2021-08-13 11:25 AM
In response to Bob_Zimmerman
Jump to solution

Okay, thanks.   This makes total sense now.   I did see a discussion on this elsewhere on here, but I didn't understand that was applying to me in this case.   Appreciate the explanation.

 

0 Kudos
Henrik_Noerr1
Advisor
‎2021-08-15 05:47 AM
In response to Quentin_Antrim
Jump to solution

I appreciate the low/high vlan heartbeat design - But if you are in a company like hours, we see from time to time a vlan is missing in our infrastructure, so 4 months later, the cluster does a failover and all traffic is blackholed.

Just something to be aware of. The CCP heartbeat behaviour can be changed if you wish.

Regards,

Henrik

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top