This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nflnetwork29
Advisor
‎2023-01-16 09:51 AM
Jump to solution

how to configure my switch for cluster xl

I have 2 checkpoint 6200's (CLuster XL) and 1 HPE 5710 switch (stacked) 

I am connecting cp1-eth6 to switch 1 and cp2-eth6 to switch 2. 

 

How do i configure my switch ports?

when i run cphaprob stat it shows that one of my interfaces is down 

 

do we have any sample configuration i can reference?

 

as the HP switch is my route to LAN i would like these to be trunk ports. I have created SVI on checkpoint.

 

any help is appreciated., 

Labels
0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-01-17 06:41 PM
In response to nflnetwork29
Jump to solution

Check Point ClusterXL clusters are not multi-chassis when it comes to things like bonding etc, so the switch should not use LACP when configuring a single interface on each cluster member. If you were to create an LACP bond on each cluster member, you would then create two corresponding LACP bonds on the switches, not a single one. 

The switches know which gateway is holding the VIP because the active gateway will be the one that responds to ARP requests from network devices looking for the VIP.

View solution in original post

(1)
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-01-16 10:03 AM
Jump to solution

Not sure if below may apply to you, as its not HPE switch, but rather Cisco:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

By the way, which interface shows as down? Can you send output of below commands please?

cphaprob roles

cphaprob state

cphaprob -i list

cphaprob syncstat

cphaprob -a if

Andy

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2023-01-16 10:15 AM
In response to the_rock
Jump to solution

[Expert@xyz-cp01:0]# cphaprob roles

ID Role

1 (local) Non-Master
2 Master

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 10.222.222.1 0% DOWN xyz-cp01
2 10.222.222.2 100% ACTIVE xyz-cp02


Active PNOTEs: LPRB, IAC

Last member state change event:
Event Code: CLUS-110800
State change: STANDBY -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Mon Jan 16 11:25:28 2023

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface is down (Cluster Control Protocol packets are not received)
Event time: Mon Jan 16 11:19:29 2023

Cluster failover count:
Failover counter: 15
Time of counter reset: Sat Jan 14 10:07:58 2023 (reboot)


[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob -i list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem

Registered Devices:

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: problem
Time since last report: 2882.3 sec

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob syncstat

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 666662
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 2

Received messages:
Total received updates....................... 84545
Received retransmission requests............. 0

Sync Interface:
Name......................................... Sync
Link speed................................... 1000Mb/s
Rate......................................... 10400 [Bps]
Peak rate.................................... 10400 [Bps]
Link usage................................... 0%
Total........................................ 1745 [MB]

Queue sizes (num of updates):
Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Sat Jan 14 15:48:22 2023 (triggered by fullsync).

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 2
Required secured interfaces: 1


Interface Name: Status:

eth1 UP
Sync (S) UP
Mgmt Non-Monitored
eth6.30 (P) DOWN (2262.7 secs)

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 2

eth1 X.X.X.X
eth6.30 10.54.1.1

[Expert@xyz-cp01:0]#
[Expert@xyz-cp01:0]#

0 Kudos
nflnetwork29
Advisor
‎2023-01-16 10:38 AM
In response to nflnetwork29
Jump to solution

so i have 2 ports on my switch -- Do people typically configure these with LACP? How does the switch not detect a loop?

Does anyone have a sample config? I'm doing active /standby cluster xl if that helps. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-16 10:47 AM
In response to nflnetwork29
Jump to solution

I have call with customer shortly and they use clusterXL (HA), so will ask the. I assume eth6.30 is whats connected to your switch? Have you tried bouncing the status or tried another cable just to make sure that can be ruled out?

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2023-01-16 10:49 AM
In response to the_rock
Jump to solution

i removed the LACP configuration and it seems to be working now . still curious how the switch knows where to route the traffic. ie. where the VIP is located (checkpoint 1 or 2) 

the_rock
MVP Platinum
MVP Platinum
‎2023-01-16 11:08 AM
In response to nflnetwork29
Jump to solution

It would know, because VIP is ALWAYS tied to whichever member is master.

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-01-17 06:41 PM
In response to nflnetwork29
Jump to solution

Check Point ClusterXL clusters are not multi-chassis when it comes to things like bonding etc, so the switch should not use LACP when configuring a single interface on each cluster member. If you were to create an LACP bond on each cluster member, you would then create two corresponding LACP bonds on the switches, not a single one. 

The switches know which gateway is holding the VIP because the active gateway will be the one that responds to ARP requests from network devices looking for the VIP.

(1)
nflnetwork29
Advisor
‎2023-01-18 10:30 AM
In response to emmap
Jump to solution

thank you - i was using single LACP on my switch - that was my error . 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-16 10:49 AM
In response to nflnetwork29
Jump to solution

By the way, I found an issue another client had back in May 2022 and issue was misconfigured vlan on the switch side. Not implying by any means thats your issue, but might be worth checking.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events