Can the standby cluster member use the phsyical IP address

[mhorne]

Hello,

I have a problem downloading updates from Checkpoint appliances via the Internet.

I have a ClusterXL Active/Standby cluster based on R77.30 running on open server running GAIA.

The Internet facing interface has a virtual IP address, because we are routing production traffic to the cluster via the same interface. When the standby cluster member is accessing the Internet it is using the cluster virtual IP address and not the physical IP Address.

When the active cluster member checks for updates it is using the virtual IP address and it is working.
When the standby cluster member checks for updates it is using the virtual IP address and it is not working.

To update the standby cluster member I need to fail over the cluster to make the standby cluster member the active cluster member.

Is there a way to get the standby cluster member to use the physical IP address, instead of the virtual IP address?
I would be happy if both members used the physical IP addresses when sending traffic.

Many thanks,
Michael

[themadhatterz]

So the default setting is to hide behind the VIP, the technical term is called cluster hide/fold. This SK covers what you need.

https://supportcenter.checkpoint.com...product=VSX%22

[eduardoxmunoz]

By default the Active member does not forward traffic sent to the standby gateway.

You might need to set fwha_forw_packet_to_not_active to 1 (zero by default)

[Expert@HostName]# fw ctl set int fwha_forw_packet_to_not_active 1

sk43346 can give you an idea.

Regards

Ed

[mhorne]

Hi,

Thanks I will check this out.

Many thanks!

[mhorne]

Hi,

It seems both solutions fix the problem, but I am using the first one mentioned ... as it was first. But thanks to all.

Unfortunately I am one of those annoying people that not only want a solution, but need to understand why. If any one can explain when we have this behaviour: ClusterXL mechanism was improved and in some cases might cause Active member to drop packets that should be forwarded to Standby member. This behaviour is by design.

It was strange that that for ICMP traffic the Active member would forward the traffic to the standby.
Also for UDP the Active member would forward the traffic to the standby.
It was only for TCP (Maybe because TCP is stateful and the active did not see the outgoing packets), that the Active member did not forward the traffic to the standby.

Thanks to all and to all a good day!

[eduardoxmunoz]

Unfortunately I am one of those annoying people that not only want a solution, but need to understand why.

I think lots of us are in the same boat here, so nothing to regret :)

In regards to the services working before applying the solution. Probably is due to the fact that by default some services are excluded from clustering fold (most of them UDP)

Have a read at sk31832 & sk98339

I hope it helps. If not, keep asking ;)

Regards

Ed

[alienbaby]

There are two or three under-the-hood solutions to this problem.

Personally, I prefer the out-in-the-open solution.

The table.def changes are hidden, and you have to remember that you did them.. When you preform a Major Version upgrade, you may find that you have to reverse the change, or have to remember you did it so you can re-do it..

I believe it's best to add a Manual NAT rule to the top of the NAT policy that says something like;

ClusterMember01ExternalIP -> Any -> Any ; Original -> Original -> Original

It's out in the open.. it's a part of policy, shows up in the NAT fields in Logs etc.

Repeat for each cluster member.