ClusterXL license question

[cciesec2006]

Does the 15 eval license come with ClusterXL
Active/Active license? I seem to recall that the
answer is NO because when I setup a pair
of SPLAT NGx R65 in Active/Active with 15
days eval license and a SmartCenter with
15 eval license as well, I can not get Active/Active
to work, only in High Availability (H/A).

Can someone confirm this? Thanks.

[chillyjim]

If the SmartCenter and the two gateways are in the plug-and-play eval you should have cxl as well as just about everything else.

[cciesec2006]

Well, Active/Active did not work for me and I have the Provider-1
NGx R65 with HFA_01 and pair of SPLAT box with 15 days eval license
and Active/Active did NOT work. It only works in HA mode.

I tried both Multicast and Unicast mode and neither work in Active/Active.

Problem is that the upstream router did not pick up the Virtual ip address.


I have another identical setup in R55 and it works fine in Active/Active
except that I have valid clusterXL license in the R55 environment.

[chillyjim]

Is it giving you a license error?

Your Check Point SE and/or reseller can generate you some eval licenses.

[cciesec2006]

Chillyjim,

"Your Check Point SE and/or reseller can generate you some eval licenses."

I can do that myself but that is besides the point. I would like to know
if the 15 days eval come with Active/Active since I am testing new features
on my cluster and it will run for about a week. If the active/active
license is included in the 15 days eval, I don't have to generate license.

[chillyjim]

The Plug-in-play license is suppose to be a full eval licenses that includes all features for the gateway and SmartCenter.

[cciesec2006]

ChillyJim,

I think you're correct. The 15 days eval has everything
including clusterXL active/active license. I just rebuilt
my enforcement module with R65 (NO hfa_01) and
it works fine. As soon as I applied hfa01, clusterXL stopped
working. I have to "uncheck ClusterXL" in the gateway cluster
properties, push policy, then "check clusterXL" again, push
policy again then clusterXL works again.

Must be a bug in HFA_01.

Thanks again ChillyJim.

[willr]

Maybe your problem is not the license?

I had a problem where the switch would not register the firewall VIP mac address in the arp tables. Doing a static ARP entry in the switch, for the VIP IP/mac of the firewall cluster solved the problem.

[cciesec2006]

In your case, you must be doing "multicast" instead "unicast".

With ClusterXL in "unicast", you do NOT need static ARP entry on the
switch or upstream device. My problem remains even with a HUB.

The fix is what I described previously.