This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fabiofabio
Collaborator
‎2021-12-15 06:02 AM

sync interfaces going up and down (partially up)

Hello,
this morning I replaced one of the two nodes in HA, the new one was configured and tested in a test environment and in fact now it has no problems. the problem occurs in the two interfaces (ETH4 and 5) that deal with the sync. these keep going up and down

image.png

image.png


from the smart console are partially up

image.png

ETH4 is set as secondary in sync while ETH5 is primary.
node 1 (the old one) restarted by itself when I attacked node 2 (new) and node 1 was not restarting for a year. at this moment node 1 is running and has no problems, but due to the problems on the interfaces there is no node 2 among the members of the HA

image.png

I read that I should broadcast the network cards to solve the problem but I don't want to, as it has worked so far. the problem shouldn't be here.

any suggestion?

thanks

 

0 Kudos
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2021-12-15 07:25 AM

I cant say this 100%, but I believe it was never recommended to use 2 sync interfaces. Regardless, you can try below steps. I always use to do this when someone had issues with sync in the cluster.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-12-15 07:31 AM

Which GW version is this?

Note the use of more than one dedicated physical interface for synchronization redundancy is not supported. You can use Bonding for synchronization interface redundancy.

CCSM R77/R80/ELITE
0 Kudos
fabiofabio
Collaborator
‎2021-12-16 04:07 AM
In response to Chris_Atkinson

this configuration works since 2014, I have no idea at this point how they made it work, however, can this modification to create the bonding be done hot? taking into account that I only have a functioning node and that I can no longer afford down periods.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-16 04:20 AM
In response to fabiofabio

You can do sync debug from the link I sent, hope that helps, as it should give you a clue why its failing.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-15 07:34 AM

Also, to add what @Chris_Atkinson said, I dont know if it says anywhere its not officially supported, but either way, all I can tell you from my experience is that I had customers run it and it does work, BUT, when it breaks, tough fixing it...its NOT an easy task, thats for sure.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-12-16 05:10 PM
In response to the_rock

For reference it's explained in the Cluster XL admin guide here:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/S...

CCSM R77/R80/ELITE
the_rock
MVP Diamond
MVP Diamond
‎2021-12-16 06:44 PM
In response to Chris_Atkinson

Thank you for that.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-15 08:15 AM

Backing up what Chris said here, I even mentioned in my book that adding a second physical interface as a 2nd sync is not a good idea and to use a bond instead:

Click to Expand
If you elect to add a second sync network, bond the original physical interface with
another physical interface via the Gaia web interface (or clish) and declare the new
bonded aggregate interface as “1 st Sync” in the cluster object topology settings. DO
NOT simply add a new non-bonded interface and declare it as “2nd sync” in the cluster
topology, as this setup will severely degrade cluster performance. Check
netstat -ni statistics as well for the physical sync interfaces to ensure zero values
for RX-ERR and RX-OVR.

  

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-15 08:24 AM
In response to Timothy_Hall

I think I will buy your book @Timothy_Hall , one of my colleagues said he got it on Amazon and loved it :- ). Any discount code for checkmates peeps? haha

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-15 11:44 AM
In response to the_rock

Unfortunately I have no ability to create discount codes at Amazon for the hardcopy edition.

However discount codes for the PDF edition and the self-guided video series offerings do tend to pop up during CPX season every year so stay tuned.  

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Diamond
MVP Diamond
‎2021-12-15 12:30 PM
In response to Timothy_Hall

Just bought it on amazon, pays to be prime member : )

Best,
Andy
PhoneBoy
Admin
Admin
‎2021-12-16 11:51 PM

The top of this SK suggests you should, except in a few unique cases, only use bonded sync interfaces if you want redundancy.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-12-17 12:01 AM
In response to PhoneBoy

sk92804: Sync Redundancy in ClusterXL

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events