CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Cluster in a Lab environement (cluster not working)

  1. #1
    Join Date
    2017-04-10
    Posts
    6
    Rep Power
    0

    Default Cluster in a Lab environement (cluster not working)

    Hi all.
    It's been 2 days I'm trying to get this cluster in a lab environment working.

    I've looked everywhere and couldn't find the information to solve my problem.

    My lab is using Widows HyperV with 1 PC, 2 Firewalls and 1 management using R77.30
    I pretty much copied my Live setup (which has 5 locations, with a running cluster in each)

    The problem is that they don't seem to see each other
    SMART Monitor : shows both active
    cphaprob stat : only see the localhost

    #############################
    Both firewall have 3 interfaces
    eth0 10.1.1.10,11 /24 VIP 10.1.1.1
    PC 10.1.1.201

    eth1 10.20.1.2,3 /24 VIP 10.20.1.1
    MGMT 10.20.1.101

    eth2 10.30.1.1,2 /24
    Sync
    #############################
    cpstat -f all ha : gives me the correct output

    The topology is correct on the management server
    I've pushed the topology and 1 rule which allows all traffic to everything

    The PC, sms and firewalls can ping every interfaces
    -- VIP on the SMS side and PC side isn't pinging
    I rebooted, issued cpstop and start nothing seems to fix this.

    This is either a virtual switch problem from HyperV
    Or I'm doing something wrong... But at the moment I can't seem to find how to find how to fix this (I try to prove that my setup it ok)

    Any help would be greatly appreciated
    Last edited by ugodeschamps; 2017-04-10 at 15:26.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    13

    Default Re: Cluster in a Lab environement (cluster not working)

    one search on google gave me SK106855 and this forum entry.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2017-04-10
    Posts
    6
    Rep Power
    0

    Default Re: Cluster in a Lab environement (cluster not working)

    Hi again, thanks for those links.
    I've enabled Mac spoofing and the cluster went On right away! With some problems that I'd like to share and comment or approve my thinking. (sorry for my french BTW, maybe my sentences dont make to much senses sometime )

    Here's my setup
    Click image for larger version. 

Name:	IMG_0021.JPG 
Views:	51 
Size:	473.2 KB 
ID:	1246Click image for larger version. 

Name:	_1_0D05601C0CFF9EDC0045F20585258100.gif 
Views:	84 
Size:	22.1 KB 
ID:	1248

    With this setup I was having a serious problem with the cluster... the cphaprob stat
    Click image for larger version. 

Name:	_1_0D0562200CFF370C0045F20585258100.jpg 
Views:	87 
Size:	69.9 KB 
ID:	1245
    As you can see the 1st sync seems messed up with the internal interface (facing the management server)
    Heres the output from cpstat -f all ha
    Click image for larger version. 

Name:	_1_0D0564240D054C800045F20585258100.gif 
Views:	77 
Size:	7.8 KB 
ID:	1244Click image for larger version. 

Name:	_1_0D056A7C0D054C800045F20585258100.gif 
Views:	75 
Size:	7.5 KB 
ID:	1247

    Now my thinking was that there must be something with the spoofing that was causing an issue since its all running inside HyperV that is running inside a VSphere ( I know im pushing it )
    So I've put the eth0 state to off, that didn't make any change (but I wasn't expecting much from this)
    Then I've tried to remove the eth3 (Sync) interface and put it on the eth1 cluster + 1sync and that did it.
    I've checked the mac address assigned to each interface, to the "VIP" as well and nothing was off... Now I know that CCP are sent using multicast. Is it possible that, from the original plan, the eth1 was receiving those packets and messed up my cphaprob stat outputs?

    At that point I tried to cphaconf set_ccp braodcast redid the eth3 as the Sync Interface and rebooted. The problem came back. the cphaprob stat shows eth1 and eth3 ip addresses.
    I removed the eth3 again and put eth1 as cluster and sync 1 (facing the management server network)
    Everything from that end is ok now.

    Now from the tracker I see Multicast packet from 10.1.1.1 eth0 trying to get out 10.20.1.2 eth1, the protocol is IGMP
    From what I can see, the problem I have is that the CCP multicast is not working super good with the virtual setup I have, or there's something I don't understand properly

    I know this is a lengthy post, but I hope someone somewhere as an explanation
    Thanks

  4. #4
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    6

    Default Re: Cluster in a Lab environement (cluster not working)

    Run fw ctl zdebug drop and look for anti-spoofing drops, cause you might need to update anti-spoofing, also, make sure you have a NAT rule that nonats all the interface networks to interface network, if that makes sense...

    eg if you have interface A and B

    networkAB going to Network AB should not be NAT'ed...

    I had a similar issue and this fixed it.

    Make sure the VM virtual networking is not an issue...

    Cheers
    Bhav
    Bhav

Similar Threads

  1. Identity sharing between cluster not working!
    By yellowtree in forum Identity Awareness Blade
    Replies: 3
    Last Post: 2013-09-03, 13:03
  2. cluster failover office mode not working
    By ultraming in forum Check Point SecurePlatform (SPLAT)
    Replies: 14
    Last Post: 2010-11-09, 12:31
  3. DHCP Relay on R70 Cluster - not working
    By bytes in forum Miscellaneous
    Replies: 1
    Last Post: 2010-08-04, 05:26
  4. NAT'ing stops working except for cluster addresses
    By BrianT in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2009-01-26, 14:07
  5. sec remote not working after cluster upgrade
    By tdvit in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2007-11-12, 11:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •