Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nflnetwork29
Advisor
Jump to solution

how to configure my switch for cluster xl

I have 2 checkpoint 6200's (CLuster XL) and 1 HPE 5710 switch (stacked) 

I am connecting cp1-eth6 to switch 1 and cp2-eth6 to switch 2. 

 

How do i configure my switch ports?

when i run cphaprob stat it shows that one of my interfaces is down 

 

do we have any sample configuration i can reference?

 

as the HP switch is my route to LAN i would like these to be trunk ports. I have created SVI on checkpoint.

 

any help is appreciated., 

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee

Check Point ClusterXL clusters are not multi-chassis when it comes to things like bonding etc, so the switch should not use LACP when configuring a single interface on each cluster member. If you were to create an LACP bond on each cluster member, you would then create two corresponding LACP bonds on the switches, not a single one. 

The switches know which gateway is holding the VIP because the active gateway will be the one that responds to ARP requests from network devices looking for the VIP.

View solution in original post

(1)
9 Replies
the_rock
Legend
Legend

Not sure if below may apply to you, as its not HPE switch, but rather Cisco:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

By the way, which interface shows as down? Can you send output of below commands please?

cphaprob roles

cphaprob state

cphaprob -i list

cphaprob syncstat

cphaprob -a if

Andy

0 Kudos
nflnetwork29
Advisor

[Expert@xyz-cp01:0]# cphaprob roles

ID Role

1 (local) Non-Master
2 Master

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 10.222.222.1 0% DOWN xyz-cp01
2 10.222.222.2 100% ACTIVE xyz-cp02


Active PNOTEs: LPRB, IAC

Last member state change event:
Event Code: CLUS-110800
State change: STANDBY -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Mon Jan 16 11:25:28 2023

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface is down (Cluster Control Protocol packets are not received)
Event time: Mon Jan 16 11:19:29 2023

Cluster failover count:
Failover counter: 15
Time of counter reset: Sat Jan 14 10:07:58 2023 (reboot)


[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob -i list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem

Registered Devices:

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: problem
Time since last report: 2882.3 sec

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob syncstat

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 666662
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 2

Received messages:
Total received updates....................... 84545
Received retransmission requests............. 0

Sync Interface:
Name......................................... Sync
Link speed................................... 1000Mb/s
Rate......................................... 10400 [Bps]
Peak rate.................................... 10400 [Bps]
Link usage................................... 0%
Total........................................ 1745 [MB]

Queue sizes (num of updates):
Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Sat Jan 14 15:48:22 2023 (triggered by fullsync).

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 1


Interface Name: Status:

eth1 UP
Sync (S) UP
Mgmt Non-Monitored
eth6.30 (P) DOWN (2262.7 secs)

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 X.X.X.X
eth6.30 10.54.1.1

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]#

0 Kudos
nflnetwork29
Advisor

so i have 2 ports on my switch -- Do people typically configure these with LACP? How does the switch not detect a loop?

Does anyone have a sample config? I'm doing active /standby cluster xl if that helps. 

0 Kudos
the_rock
Legend
Legend

I have call with customer shortly and they use clusterXL (HA), so will ask the. I assume eth6.30 is whats connected to your switch? Have you tried bouncing the status or tried another cable just to make sure that can be ruled out?

0 Kudos
nflnetwork29
Advisor

i removed the LACP configuration and it seems to be working now . still curious how the switch knows where to route the traffic. ie. where the VIP is located (checkpoint 1 or 2) 

the_rock
Legend
Legend

It would know, because VIP is ALWAYS tied to whichever member is master.

0 Kudos
emmap
Employee
Employee

Check Point ClusterXL clusters are not multi-chassis when it comes to things like bonding etc, so the switch should not use LACP when configuring a single interface on each cluster member. If you were to create an LACP bond on each cluster member, you would then create two corresponding LACP bonds on the switches, not a single one. 

The switches know which gateway is holding the VIP because the active gateway will be the one that responds to ARP requests from network devices looking for the VIP.

(1)
nflnetwork29
Advisor

thank you - i was using single LACP on my switch - that was my error . 

0 Kudos
the_rock
Legend
Legend

By the way, I found an issue another client had back in May 2022 and issue was misconfigured vlan on the switch side. Not implying by any means thats your issue, but might be worth checking.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events