This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KostasGR
Collaborator
‎2022-06-02 12:06 PM

How to manually force split brain on VSes with 2 VSXes on VSLS mode

Hello 

Is any way  to manually force split brain on 2 VSes created on 2 VSXes on VSLS mode?

I want to achieve 2 VSes active on VSXA and the same 2 VSes active on VSXB in a lab environment.

BR,
Kostas

 

0 Kudos
9 Replies
genisis__
Advisor
‎2022-06-02 12:30 PM

I'm pretty sure the answer is no.

 

You can certainly load share between different VSX Nodes but you can't have any one VS active on two different nodes, at least too my knowledge.

If you want true resource balancing then perhaps Maestro may be a better option.

 

Another idea, would be to have two different VS's using the same policy file but perhaps an external load balancing to share the load (a bit over kill, but could also be an option with some design considerations).

0 Kudos
Vladimir
Champion
Champion
‎2022-06-02 12:53 PM

I do not think that you can selectively achieve that, but to have all VSes running in split brain, move the networks of one of the unit to the separate vSwitches, (loose the sync) and reboot the unit.

In theory, it'll come up looking for other cluster member and, not finding one, run VSes to Active mode.

0 Kudos
Bob_Zimmerman
Advisor
‎2022-06-02 01:54 PM

If there are other VSs which you don't want to try to become active on both members, this isn't possible. Sync and cluster monitoring on VSX is a whole-box thing.

If you're okay with all VSs trying to become active on two or more members, you just have to prevent those members from seeing each other.

0 Kudos
KostasGR
Collaborator
‎2022-06-07 01:14 AM
In response to Bob_Zimmerman

Hello all

Finally i have managed to cause split brain by preventing those members from seeing each other.

Apart from preventing VSes to see each other through their interfaces (inside,outside,DMZ etc) I had to disable SYNC connectivity and also shutdown the management interface of the 2 VSXes. By disabling the management interfaces of the 2 VSXes i had no logging towards the log server (management server),

BR,

Kostas 

0 Kudos
genisis__
Advisor
‎2022-06-07 01:18 AM
In response to KostasGR

What is achieved by this outside a lab?  In a production environment you could not really do the above and most certainly Checkpoint would not support it.

 

 

KostasGR
Collaborator
‎2022-06-07 02:46 AM
In response to genisis__

A DR scenario that cuts layer 2 connectivity between MAIN DC and REMOTE DC for example. Why Check point wouldn't support it?

0 Kudos
genisis__
Advisor
‎2022-06-07 02:54 AM
In response to KostasGR

I don't believe this is a supported scenario, but Checkpoint would be better to respond.   

Kaspars_Zibarts
Authority
Authority
‎2022-06-07 04:51 AM
In response to genisis__

Technically if VSX nodes lose L2 completely then both will become Active as they will assume that other node is dead based on clustering protocol. So your two DCs should continue to work independently. Obviously you won't be able to manage them i.e push rules our routing. But I suggest you test in the lab

Bob_Zimmerman
Advisor
‎2022-06-07 05:21 AM
In response to Kaspars_Zibarts

That depends. Other problems such as monitored interfaces which don't have anything available to ping (e.g, a new highest VLAN or lowest VLAN which doesn't have any endpoints on it yet) can cause both members to refuse to become active because they each think they are the device with the failure.

Spanning layer 2 between datacenters is a really bad idea.

0 Kudos