This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2019-07-12 06:20 AM

VRRP with R80.10 - Interfaces in backup mode

Hi Folks,

I am facing a weird issue with R80.10 Cluster in VRRP.

I have currently have only one firewall configured in VRRP cluster and management server is away one hop; that is on L3 switch. 

So my topology is INTERNET-----Firewall--> L3-->Mgmt server.

I then upgraded the firewall to R80.30 however after upgradation obviously it came up with Initial Policy since it could not fetch the policy from Mgmt server however when I decided to install policy it couldnt connect to Mgmt server. When I investigated I found that all the interfaces [though its single appliance in cluster] were in backup mode. And since no policy was installed HA module wasnt started.

I guess since being a single appliance it by default should come up as Primary, correct?

Any clue or any other alternative by which appliance can load last installed policy?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion
‎2019-07-12 06:55 AM

If you look with cphaprob stat you will probably see it is in Raeady state, this means that when you have the flag MonitorFirewall set to ON it will not come up as master, so just change it to Monitor Firewall off.
set vrrp monitor-firewall off
Regards, Maarten
0 Kudos
Blason_R
Leader
Leader
‎2019-07-12 07:02 AM
In response to Maarten_Sjouw

I see does that mean since it does not have any policy it went in backup mode? And shutting down the monitor-firewall will make in Primary even if the policy is set as Initial?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-12 10:59 AM
In response to Blason_R

It checks the state of cphaprob, when it is still set to ready it will not go into Master mode.
As you only have one member ithis setting does not make sense to check. you always need to be in master mode with this member.
Regards, Maarten
0 Kudos
Blason_R
Leader
Leader
‎2019-07-12 11:05 AM
In response to Maarten_Sjouw

Oh ok - So, setting up firewall mode off makes sense, right?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-12 11:13 AM
In response to Blason_R

Yes, set vrrp monitor-firewall off makes sense.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top