VRRP - non sync (non secured)

[tdvit]

Hi All,

My VRRP clusters are both in backup state. when I run cphaprob -a if it tells me all interfaces are non sync non secured and tells me that syncronization will not work.

I have specified a sync network in the topology info. The firewall is running ipso 4.2 with NGX R65.

need help asap.

thanks

[mcnallym]

Last time I saw this then the clusterxl was enabled and configured with clusterxl settings rather then 3rd party and Nokia VRRP.

[tdvit]

this resolved my issue

Solutions ID: 1351701
Version: 1.0
Published: April 26, 2007

Symptoms
Check Point state sync is broken, the output of cphaprob -a if shows no secured sync interface and displays "Warning: Sync will not function since there aren't any sync(secured) interfaces"

nokia[admin]# cphaprob -a if

eth-s1p3c0 non sync(non secured)
eth-s1p1c2 non sync(non secured)
eth-s1p4c0 non sync(non secured)
eth-s1p2c1 non sync(non secured)
eth2c0 non sync(non secured)
eth3c1 non sync(non secured)
eth1c0 non sync(non secured)

Warning: Sync will not function since there aren't any sync(secured) interfaces

The output of cphaprob state shows the interface is configured for sync:

nokia[admin]# cphaprob state

Cluster Mode: Sync only (IPSO cluster))

Number Unique Address Firewall State (*)

1 (local) 192.168.54.3 active

(*) In IP Clustering/VRRP FW-1 also monitors the cluster status

Answer
Another VLAN on the same physical interface has been configured with a lower VLAN ID than the one used for the sync interface. The VLAN ID for the sync interface must be configured to be the lowest VLAN ID when there are multiple VLANS on the same physical interface.

To resolve the problem:-

1. On both cluster members, use Voyager to lower the VLAN ID on the logical interface used for the sync network. The new VLAN ID for the sync interface must be configured to be the lowest VLAN ID on the physical interface when there are multiple VLANS on the same physical interface.


2. Reconfigure the trunk on the switch connected to the interface to reflect the change in VLAN ID.


3. Reboot the cluster members to make the new VLAN active.


4. Push the policy to the firewalls.


5. On both members, execute the commands:


nokia[admin]# cphastop; cphastart


6. Check on both members that the correct CP sync interface is now shown as secured in the output of cphaprob -a if


7. Check that the correct interfaces are shown in the output of cphaprob state and the interfaces are shown as active.


8. Check that sync is now working with fw tab -t connections -s