- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
VSX Cluster setup...
configuring cluster ip, gateway members and sync network(ip addresses)
it all went well. but in the provisioning step. it threw an error regarding SYNC interface.
now when i ssh to the 1st members where sync is "working" and i issue "show configuration" it says
set interface Mgmt state on
set interface Mgmt auto-negotiation on
set interface Mgmt ipv4-address 10.10.101.32 mask-length 24
set interface Sync state on
set interface Sync mtu 1500
set interface Sync ipv4-address 5.1.1.2 mask-length 30
So thats fine.
when i ssh to the 2nd member it only shows this
set interface Mgmt state on
set interface Mgmt auto-negotiation on
set interface Mgmt ipv4-address 10.10.101.33 mask-length 24
set interface Sync state off
How do i get around to fix that?
ive have already tried issuing commands like
set interface Sync state on
set interface Sync mtu 1500
set interface Sync ipv4-address 5.1.1.3 mask-length 30
it just doesnt work. saving the config works(it throws no errors)
if i do a show configuration afterwards then it doesnt show what i just added.
@skandshus In a VSX environment don‘t change these via CLI, configure everything via SmartConsole. Your sync subnet is 5.1.1.0/30
network is 5.1.1.0
host IPs are 5.1.1.1 and 5.1.1.2
broadcast is 5.1.1.3
I never used such a small sync net, maybe you have to use a little bit larger subnet but you can try if you use the right host IPs.
5.1.1.3 is definitely the high broadcast address on the 5.1.1.0/30 network. That would be why the assignment on the actual member failed. I guess SmartConsole doesn't check for that.
This is a new cluster, right? If the cluster object has been built, I would delete it and set it up again from scratch.
One other concern: 5.1.1.3 is a public, routable IP. Unless you're working for PJSC Datagroup in Ukraine, you do not own this public IP. It is generally a bad idea to use routable IPs for sync, and it's a terrible idea to use routable IPs which you don't own internally for any purpose.
i know. i just inserted something since the Sync cable are direct connected so now in anyway connected to the network, so to say.
but yeah i can change it.. but i think i need to delete the cluster.
do you know how i proceed on that? because i have 2 cluster members. so i cannot remove them. if i try to delete cluster i cant because it has "members". if i try to delete the members i cant because they are in use by the cluster..
this is newly built because i had an issue in the cluster so i had to Reset them to make them "work" actually..
Do you have any idea on how to change the addresses after they were set?
@skandshus remove the existing sync interface and add a new one with the correct IP addresses. Push vsx configuration then install policy.
The "delete" button in smart console is grayed out.. is it supposed to be done another way?
Is it R81 T44?
Take 22 🙂
to manage VSX you will need to use command line toolset vsx_util:
Commands:
vsx_util reconfigure # Restores VSX configuration on gateway.
vsx_util upgrade # Upgrades gateway/cluster version.
vsx_util add_member # Adds a cluster member.
vsx_util remove_member # Removes a cluster member.
vsx_util change_private_net # Changes the cluster private network.
vsx_util change_mgmt_ip # Changes the management IP of a member/gateway.
vsx_util change_mgmt_subnet # Changes (or Adds) the management IP of a cluster/gateway to a new subnet.
vsx_util change_interfaces # Changes between selected interfaces on all Virtual Devices.
vsx_util vsls # VS Load Sharing configuration menu - status, redistribute, configuration export/import.
vsx_util convert_cluster # Converts the ClusterXL mode between High Availability and VS Load Sharing.
vsx_util view_vs_conf # View Virtual Device configuration on Management versus VSX gateways.
vsx_util show_interfaces # Shows configuration of selected interfaces.
i just cant find the specific command for editing/changing sync interfaces. do you know which commands is needed there?
mgmt server is 10.10.101.20
the gateway with wrong sync address/interface is 10.10.101.33
do you know if i could possible type vsx_util change_interfaces -s 10.10.101.20 -u admin -m GW6200B
Gw6200B= the physical hardware with wrong sync address
When you create a new VSX cluster, you will only have to configure Mgmt interface IP via CLISH/WebUI on all cluster members. Rest is left blank including Sync. Wizard will take care of that.
Did you create VSX gateway or cluster initially?
Thank you for your assistance so far. Much appreciated
I chose the VSX>Cluster and the VSX cluster platform was ClusterXL virtual system load sharing.
then i added members and also added the sync address
In that case wizard did not complete quite well - you should have seen IP addresses on both Sync interfaces.
I would suggest to wipe VSX completely from SmartConsole
Then run reset_gw on both members (to remove all VSX config and reset SIC)
Make sure that Sync interfaces are UP and connected
Run VSX cluster wizard again with bigger mask for Sync, say 29
Alternatively you can play with vsx_util commands on management server plus check locally on the gateway:
head -10 $FWDIR/state/local/VSX/local.vsall
i dont know if im misunderstanding something or just explaining myself wrong 🙂
But i cant wipe/remove cluster or cluster member from smartconsole.. because there is only 2 members, and minimum is 2. so it prevents me from deleting.
If i try to delete member gateway i cant. error is= referenced by other object.. which is the cluster that references is.. if i then try to delete the cluster. it gives error because it has members..
Sorry missed that in the thread. Strange - removing the whole cluster should work as far as I can see it in our R80.40.
Can you share a screenshot when you try to delete whole VSX cluster?
here they are. Of course cluster cant be deleted beause it has members... and members cant be deleted because they are in use by the cluster 🙂
i cant manually open the cluster and "remove" a member because it only has 2 members which is the bare minimum, so i get some how "stuck"
so i have no idea how to "completely reset/start over" properly.
Make sure your cluster/members are not used in a policy rule and installation targets.
that is already cleared unfortunately 😞
if i click "where used" no policy or otherwise is shown.. only the cluster membership 😞
wow, sounds like a bug to me if the only place the gateway object is used is in the cluster itself 🙂 TAC!
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 22 | |
| 17 | |
| 12 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 7 | |
| 5 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY