This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cyprien_Leseurr
Participant
‎2017-09-11 12:53 AM

Only one member in ClusterXL appears with "cphaprob stat" command

I have build a Full HA ClusterXL with Firewall Gateways on VM (OS GAIA R77.30).

To make sure that the cluster is working properly , I used cphaprob commands.

But with "cphaprob stat" I only see the member on which I am, as "Active" and with 100% Assigned Load.

Same issue for both members, primary or secondary.

Moreover I haven't this problem in  SmartDashboard.

What is the probleme ?

0 Kudos
5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2017-09-11 05:24 AM

My guess is that you didn't set the same Cluster Global ID on both members during the R77.30 post-installation wizard.   This value must match on all members of the cluster or they will refuse to cluster up with each other.  Run cphaconf cluster_id get to check this value on both members, if you need to reset the value on one of the members to match the other, use the cphaconf cluster_id set <CLUSTER_ID_VALUE> command.  

R80.10 gateway clusters use a new feature called “Automatic MAC Magic” by default to automatically derive a unique Cluster Global ID, and prevent conflicts with other gateway clusters on the same network. The status of this new feature can be checked with the cphaprob mmagic command. This feature can also be monitored from a new ClusterXL-based screen of the cpview tool on a R80.10 gateway under Advanced...ClusterXL, and is backward compatible with gateways that had their Cluster IDs configured manually in earlier versions such as R77.30.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Cyprien_Leseurr
Participant
‎2017-09-11 05:55 AM
In response to Timothy_Hall

Thanks Tim for your response and your precision !

So I will check my Cluster Global ID and both members have the same.

Sync dedicated interface, Management dedicated interface, same cluster ID, synchronization OK... Except  cphaprob stat command, all seemed clear.

And I didn't use R80 for the time being but I keep cphaprob mmagic command in my head for later.

0 Kudos
Grigoriy
Contributor
‎2020-04-23 09:45 PM
In response to Cyprien_Leseurr

if it's still urgent 🙂
in Hyper-V NICs, used for sync, should be allowed to do MAC spoofing

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-04-24 02:54 AM
In response to Grigoriy

you can also check with cphaprob -a if if both members use the same method for exchanging cluster state, multicast or broadcast, when both are set to mulitcast make sure it is allowed by the VM switch.
You need to diasbale ALL security features on the firewalls' switch ports for it to work properly.
Also did you reboot both gwateways already, have you checked the setting in cpconfig?
Regards, Maarten
0 Kudos
Grigoriy
Contributor
‎2020-04-24 03:18 AM
In response to Maarten_Sjouw

i've had the problem, described by the topic-starter,

yesterday i resolved it by switching on MAC spoofing in Hyper -v openserver NICs, then rebooted one by one and cphaprob stat started to show cluster info correctly. it seem like cluster members couldn't sync - so-called split brain. all other attributes on both cluster members are the same.

here is the explanation: 

https://community.checkpoint.com/t5/General-Topics/Both-security-gateways-are-active-in-the-Full-HA-...

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events