How to manually force split brain on VSes with 2 V...

KostasGR · ‎2022-06-02

Hello

Is any way to manually force split brain on 2 VSes created on 2 VSXes on VSLS mode?

I want to achieve 2 VSes active on VSXA and the same 2 VSes active on VSXB in a lab environment.

BR,
Kostas

genisis__ · ‎2022-06-02

I'm pretty sure the answer is no.

You can certainly load share between different VSX Nodes but you can't have any one VS active on two different nodes, at least too my knowledge.

If you want true resource balancing then perhaps Maestro may be a better option.

Another idea, would be to have two different VS's using the same policy file but perhaps an external load balancing to share the load (a bit over kill, but could also be an option with some design considerations).

Vladimir · ‎2022-06-02

I do not think that you can selectively achieve that, but to have all VSes running in split brain, move the networks of one of the unit to the separate vSwitches, (loose the sync) and reboot the unit.

In theory, it'll come up looking for other cluster member and, not finding one, run VSes to Active mode.

Bob_Zimmerman · ‎2022-06-02

If there are other VSs which you don't want to try to become active on both members, this isn't possible. Sync and cluster monitoring on VSX is a whole-box thing.

If you're okay with all VSs trying to become active on two or more members, you just have to prevent those members from seeing each other.

KostasGR · ‎2022-06-07

Hello all

Finally i have managed to cause split brain by preventing those members from seeing each other.

Apart from preventing VSes to see each other through their interfaces (inside,outside,DMZ etc) I had to disable SYNC connectivity and also shutdown the management interface of the 2 VSXes. By disabling the management interfaces of the 2 VSXes i had no logging towards the log server (management server),

BR,

Kostas

genisis__ · ‎2022-06-07

What is achieved by this outside a lab? In a production environment you could not really do the above and most certainly Checkpoint would not support it.

KostasGR · ‎2022-06-07

A DR scenario that cuts layer 2 connectivity between MAIN DC and REMOTE DC for example. Why Check point wouldn't support it?

genisis__ · ‎2022-06-07

I don't believe this is a supported scenario, but Checkpoint would be better to respond.

Kaspars_Zibarts · ‎2022-06-07

Technically if VSX nodes lose L2 completely then both will become Active as they will assume that other node is dead based on clustering protocol. So your two DCs should continue to work independently. Obviously you won't be able to manage them i.e push rules our routing. But I suggest you test in the lab

Bob_Zimmerman · ‎2022-06-07

That depends. Other problems such as monitored interfaces which don't have anything available to ping (e.g, a new highest VLAN or lowest VLAN which doesn't have any endpoints on it yet) can cause both members to refuse to become active because they each think they are the device with the failure.

Spanning layer 2 between datacenters is a really bad idea.

Kaspars_Zibarts · ‎2023-07-24

Hehe. There are lots of bad ideas @Bob_Zimmerman but in reality you are forced to accept legacy solutions that take years to move on from 🙂

Bob_Zimmerman · ‎2023-07-24

I've personally seen more people trying to span layer 2 between datacenters in each of the last five years than I had even heard about in the ten years before. It's a recent phenomenon. People need to be told it's a terrible idea which will lead to awful problems.

Are you a member of CheckMates?

How to manually force split brain on VSes with 2 VSXes on VSLS mode