Hi,
R81.10 with Jumbohotfix 87.
both firewalls were also restarted but the anomaly was not resolved.

this is related to the firewall that is experiencing this problem:

add interface bond5 vlan 526
set interface bond5 state on

set interface eth1-03 comments "bond5"
set interface eth1-03 link-speed 10G/full
set interface eth1-03 state on
set interface eth1-03 auto-negotiation on
set interface eth1-04 comments "bond5"
set interface eth1-04 link-speed 10G/full
set interface eth1-04 state on
set interface eth1-04 auto-negotiation on

set interface bond5.526 ipv4-address 10.173.26.130 mask-length 27
set interface bond5.700 state on

show interface bond5.526
state on
mac-addr 00:1c:7f:a2:2x:xx
type vlan
link-state not available
mtu 1500
auto-negotiation Not configured
speed N/A (bond5)
ipv6-autoconfig Not configured
monitor-mode Not configured
duplex N/A (bond5)
link-speed Not configured
comments
ipv4-address 10.173.26.130/27
ipv6-address Not Configured
ipv6-local-link-address Not Configured

with the command cphaprob -a if | grep bond5.526 the vlan created on this firewall is not shown.

-----
the second firewall where the vlan appears with cphaprob -a if:

set interface bond5 state on
add interface bond5 vlan 526

set interface eth1-03 comments "bond5"
set interface eth1-03 link-speed 10G/full
set interface eth1-03 state on
set interface eth1-03 auto-negotiation on
set interface eth1-04 comments "bond5"
set interface eth1-04 link-speed 10G/full
set interface eth1-04 state on
set interface eth1-04 auto-negotiation on

set interface bond5.526 state on
set interface bond5.526 ipv4-address 10.173.26.131 mask-length 27

show interface bond5.526
state on
mac-addr 00:1c:7f:a2:1x:xx

type vlan
link-state not available
mtu 1500
auto-negotiation Not configured
speed N/A (bond5)
ipv6-autoconfig Not configured
monitor-mode Not configured
duplex N/A (bond5)
link-speed Not configured
comments
ipv4-address 10.173.26.131/27
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:25396 packets:482 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:9281422 packets:55725 errors:0 dropped:0 overruns:0 frame:0

Yes the switch is configured in the trunk.

Thx

I see the command "set interface bond5.526 state on" on the working member but i don't see it on the non working member.

I assume you just didn't copy it but can you confirm it's there, and if not try to paste it on your non working member ? 

Also in smc go into the interface > advanced. And verify interface name is correct for both members

Thx

the inactive member is the secondary.
in the comment above I added the output of the set Interface command...
after the dashes.
Checkpoint support suggested we upgrade to the latest jumbo, but I would like to find another solution

Does it show same output from cphaprob -a if?

No...

with the cphaprob -a if command on the active/primary firewall the created vlan is not shown, while on the secondary/inactive one the following output is shown:

cphaprob -a if | grep 526
bonds5.526 10.173.26.129

So the active member is not working.

Im asking again. On the command output you wrote above i don't see "set interface bond5.526 state on" on the active member. Can you verify the state on exist on the vlan interface of the active?

Also you mention no physical connectivity.

Can you run 'tcpdump -nnei bond5.526' on both members, then run ping from secondary member to the active (10.173.26.131), if you don't get reply, run arp -an | grep 10.173.26.131 and see if you have the arp of this ip or mac is empty.

Verify if the arp req received on the active member and that arp response recevied the standby member (by tcpdump output)

You can share it here

@ancastaldo I totally agree with @AmirArama . Output of command for that vlan is missing on one of the firewall, which would explain 100% why clustering is broken and you dont see it in topology.

Best,

Andy

HI,
Yes, I checked, the bond5.526 interface appears to be UP.
From the inactive firewall it is possible to ping the other node while from the active firewall I cannot ping the secondary one

using the suggested command on the down node when I try to ping from the active firewall they only pass echo requests:

00:1c:7f:a2:2x:xx > 00:1c:7f:a2:1x:xx, IPv4 ether type (0x0800), length 98: 10.173.26.130 > 10.173.26.131: ICMP echo request, id 61869, seq 8, length 64

This is the output from the active firewall after pinging with the command...:
arp -an | grep10.173.26.131
? (10.173.26.131) at 00:1c:7f:a2:1x:xx [ether] on bond5.526

Can you confirm if topology shows that interface the same on both cluster members?

Best,

Andy

please run 'tcpdump -nnei bond5.526' from both cluster members , as well as 'fw ctl zdebug + drop | grep 10.173.26' from both members. run the ping from active to standby, stop the tcpdump and the other command with ctrl+c. and share output from both.

run 'fw ctl debug 0' to reset debug settings.

also please share from SMC, cluster object > network management > bond5.526 > advanced tab  > interfaces names)

Hi Andy,
we tried again to create the vlan from 0 on both firewalls via gaia and using the "get interface without topology " command on the firewall cluster.
Unfortunately the situation is always the same

Question...do BOTH interfaces show correctly in topology?

Andy

Yes are displayed correctly with the bond and IP assigned

and from cphaprob -a if command?

Andy

with the cphaprob -a if command, on the currently active firewall you do not see bond 5.526 while on the secondary (standby) yes.

With reachability tests the outcome is always the same:

Primary does not ping the secondary firewall,
while the secondary firewall manages to ping the primary.

We also tried restarting both nodes and installing the jumbo 135, but nothing changed

Sounds like it may need remote with TAC to check this further.

Andy

Yes a SR has already been opened for support, we had a remote session but it wasn't enough