CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 7 of 7

Thread: Vsec Failover Partially Worked

  1. #1
    Join Date
    2016-10-19
    Posts
    43
    Rep Power
    0

    Default Vsec Failover Partially Worked

    Hello Guys

    I have deployed a Vsec cluster in Azure and I've create the service account and "azure_ha-test.py" came back with all tests are successful too.

    For some reason , the Service account used for the HA failover was triggered and it sent the API call to Azure and changed all the routes/NAT's to the standby node but cphaprob state shows node2 as standby. So all the traffic was not passing the firewall in either direction.

    Questions:

    1) What caused the API triggering ?
    2) Why the failover failed even after all tests were successful ?

    It's really bad the Checkpoint does not provide any information on this failover in Azure other than "How to deploy cluster in Azure" which we followed and according to that sk, we are all set and still failed. Expecting CP to provide more sk's on multiple scenarios in Azure.

    Eg: what is the command to trigger a failover in Azure cluster? the sk suggests to shut one of the interfaces which doesnt look like a proper mainstream command.

    Any insight into this is greatly appreciated.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Vsec Failover Partially Worked

    The HA test script just verifies the configuration is set up correctly so when a failover event actually occurs, we can trigger the relevant API calls to do the failover.
    It does not trigger the actual failover, which the manual interface shutdown accomplishes.
    Alternative commands could be cpha commands that are not preferable to simulate actual connectivity failures or changes to Gaia OS configurations which are obviously not the recommended approach for testing.
    In a physical environment, you'd have other ways to trigger a failover (e.g. pulling the network cable)--something you can't easily do in a public cloud IaaS environment.
    That pretty much leaves us with shutting down the interface manually as the only way to simulate a failover in Azure.

    A common reason the failover may have failed is lack of permissions at the API level.
    Refer to https://supportcenter.checkpoint.com...ionid=sk116212
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2016-10-19
    Posts
    43
    Rep Power
    0

    Default Re: Vsec Failover Partially Worked

    Phoneboy,

    My question is the API call succeeded with changing all the routes as well. I see the same in azure_had.elg file as well. But "cphaprob state" was still in original state, it did not flip. That is my question.

    Thanks.

  4. #4
    Join Date
    2016-10-19
    Posts
    43
    Rep Power
    0

    Default Re: Vsec Failover Partially Worked

    Was checking through the IAM section, another question is does the service account used for HA needs to be in IAM on the cluster VM or node VM's as well or the whole resource group?

    Thanks.

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Vsec Failover Partially Worked

    Quote Originally Posted by venkata View Post
    Was checking through the IAM section, another question is does the service account used for HA needs to be in IAM on the cluster VM or node VM's as well or the whole resource group?
    The example in sk116212 suggests you need appropriate permissions for the cluster member VMs at a minimum.
    When the failover "failed" what showed in $FWDIR/log/azure_had.elg if anything?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2016-10-19
    Posts
    43
    Rep Power
    0

    Default Re: Vsec Failover Partially Worked

    Before the event, permission were set on the whole resource group + node1 but not on node2. Attaching azure_had.elg.
    Attached Files Attached Files

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Vsec Failover Partially Worked

    You need permissions for both nodes as you will be ultimately changing the routing on both nodes during a failover.
    Also, I'm guessing this is your problem:

    RequestException: HTTP/1.1 401 Unauthorized
    {"error":"user_password_expired","error_descriptio n":"AADSTS50055: Password is expired.\r\nTrace ID: faadc6e2-72d1-403b-a0bf-7178da504800\r\nCorrelation ID: 240d61b6-bfc2-45bf-a5b0-5b595083d6f9\r\nTimestamp: 2018-03-21 15:21:34Z","error_codes":[50055],"timestamp":"2018-03-21 15:21:34Z","trace_id":"faadc6e2-72d1-403b-a0bf-7178da504800","correlation_id":"240d61b6-bfc2-45bf-a5b0-5b595083d6f9","password_change_url":"https://portal.microsoftonline.com/ChangePassword.aspx","suberror":"user_password_exp ired"}
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. vSec for NSX
    By gfirth77 in forum vSEC
    Replies: 1
    Last Post: 2018-10-19, 07:26
  2. vSEC or VSX
    By narendra in forum R77.30
    Replies: 6
    Last Post: 2017-08-27, 21:34
  3. any idea on performance with vSEC for NSX
    By sebastan_bach in forum Firewall Blade
    Replies: 7
    Last Post: 2016-05-16, 13:51
  4. interface is partially up
    By robertg in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2007-10-23, 11:46
  5. Partially or Fully Authentication
    By CheckMan in forum Authentication
    Replies: 3
    Last Post: 2006-03-13, 18:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •