IP390 Cluster dropping member

Posted on 2009-04-23
Medium Priority
Last Modified: 2013-11-16
Hello All -

I'm new to Checkpoint firewalls and the Smart Center but must admit that I am learning things all the time. I've defined a cluster consisting of 2 IP390s using Nokia's clustering. (NGX R65, IPSO 4.2) The interfaces are standard set up with x.x.x.1, x.x.xx.2, x.x.x.3 representing the virtual/cluster IP, interface on firewall 1 and interface on firewall 2 respectively. This is for 6 of 7 ports in the cluster with the 7th one being set up as the sync interface. When I have redundant connections(connections are to Nortel Baystack 470 switches) to the clustered firewalls (fw1 and fw2), the Voyager cluster monitor shows things fine with both the master and member listed. If I unplug one of the interfaces, the member unit drops out of the cluster (seen via monitor) and things work through the new master. None of the other interfaces on the fw that dropped out however can be seen. Is this normal for the functionality of the cluster?

Question by:Wookie68
LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24218841
I assume you are using Nokia VRRP clustering?  ie this is active/passive, as opposed to the active/active load balancing of IP Clustering?

Can you confirm it is indeed VRRP you are using?

Also, it seems that you have the cluster interfaces (ie the interfaces on each node that participates in the cluster) configured as such that any issue on any interface, will immediately cause the node to declare itself as not able to act as master, so it drops itself out of the cluster and you fail over to the other node.  As far as I can remember (I would need to quickly lab this up to be 100%) but the issue you see may be normal, ie a node not able to participate in a cluster due to a downed interface, should not be listed as available in any way.

What may help, is if you can run the following commands in the CLI of each cluster member

cphaprob stat
cphaprob -i list

This will give us what Check Point sees on the devices.

If it is indeed VRRP, can you also run this on the CLI on each firewall

(this will take you into a different CLI prompt)
then run
show vrrp
show vrrp summary

If you can, a screenshot of the 3rd part clustering tab of the cluster in dashboard would help us understand this a bit better.  Once we have a clearer idea on your set up, we can confirm/deny what the actions should be

Author Comment

ID: 24221579
No, I am using HA clustering with the multicast option. Did some digging today and found others that have had issues with the multicast clustering based on the switches used in the network. Turns out my Nortel switches are not liking the Virtual IP and Gateway sharing the same MAC address. I haven't tried the solution with the switches, but most everyone with my switches switched over to clustering via VRRP, which is my next move tomorrow. You are dead on as to why the member drops out when I unplug an interface... turns out that it is normal as you said. Thanks for the help!

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question