ClusterXL trouble.. Help!!!!

cciesec2006 · #1 (**permalink**) 2008-05-15

Have a situation:

a pair of IBM 3650 dual quad-core processors 3.16 Ghz with 4GB RAM
running in ClusterXL Active/Active Unicast mode. The Checkpoint
software is NGx R65 2.6 kernel

This firewall pair is being managed by Provider-1 NGx R65 2.4 kernel
with HFA_02 running on a Dell 2850 dual processors 3.06 Ghz with 8GB RAM.

Logs on the firewalls are being sent to a Provider-1 MLM and a standalone CLM.
Provider-1 is NGx R65 with HFA_02 on 2.4 kernel. The stand-alone CLM
is NGx R65 2.6 kernel on a Dell 2950-III box.

Everything is running checkpoint 30 days eval license.

I have about 300 rules in the security policy. I pushed policy to the
pair of firewalls. Everything is working fine and I get no errors when
pushing policy to the firewall

I have a couple of QoS rule in the QoS policy. I see NO errors when
pushing policy to the firewalls.

At this point I start pushing about 900Mbps between the Iperf client/server
through the firewall.

Here are two issues I have:

1- In SmartView Monitor, it tells me that I hav NO QoS policy installed
on gw1 and gw2,

2- After every two hours, I lose SIC either to the gw1 or gw2 firewall.
I verified this by performing "test SIC" in the cluster members. When
I pushed policy to the firewall, it tells me that policy push failed
either to gw1 or gw2 member. The only way for me to fix is to re-SIC
and reboot the firewall and re-establish SIC with the Provider-1 CMA.

3- I have NO issue with SIC when I go Active/Standby.

Is this a bug in Checkpoint or something? My setup is a very simple one.

Comment anyone? Thanks.

cciesec2006 · #2 (**permalink**) 2008-05-15

here is a diagrame of my test

dantro · #3 (**permalink**) 2008-05-15

Had this problem, too, on HP DL385 hardware with NGX (R65) on SPLAT 2.6 kernel in connection with a (R65) HFA_02 management. Lost SIC connection after a few minutes while everything was working before.

Solution: get rid of the 2.6 kernel. When we installed R65 from the orig. CD without the 2.6 kernel there were no issues at all.

melipla · #4 (**permalink**) 2008-05-16

Quote:

Originally Posted by cciesec2006

2- After every two hours, I lose SIC either to the gw1 or gw2 firewall.
I verified this by performing "test SIC" in the cluster members. When
I pushed policy to the firewall, it tells me that policy push failed
either to gw1 or gw2 member. The only way for me to fix is to re-SIC
and reboot the firewall and re-establish SIC with the Provider-1 CMA.

3- I have NO issue with SIC when I go Active/Standby.

Is this a bug in Checkpoint or something? My setup is a very simple one.

Comment anyone? Thanks.

I have an open, not going anywhere, SR with Check Point about an R65 2.6 kernel cluster which loses SIC on either the active or the standby member (its random). The loss of SIC is caused by CPD utilizing 100% on one of the CPUs. I've narrowed the problem down to RTM / Smartview monitor being enabled for the Gateway object and have seen varying times for when the problem occurs--when I had attempted to time it, it was an hour between occurrences.

Unfortunately this hardware isn't supported on the R65 2.4 kernel....

HTH

cciesec2006 · #5 (**permalink**) 2008-05-16

Hi there,

do you have that ticket number by chance? I also have ticket opened with
ISS/checkpoint and they asked me if others run into the same issue.

Please email me off-line for the ticket. Really appreciate it.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode