IP390 Cluster dropping member

Posted on 2009-04-23
Last Modified: 2013-11-16
Hello All -

I'm new to Checkpoint firewalls and the Smart Center but must admit that I am learning things all the time. I've defined a cluster consisting of 2 IP390s using Nokia's clustering. (NGX R65, IPSO 4.2) The interfaces are standard set up with x.x.x.1, x.x.xx.2, x.x.x.3 representing the virtual/cluster IP, interface on firewall 1 and interface on firewall 2 respectively. This is for 6 of 7 ports in the cluster with the 7th one being set up as the sync interface. When I have redundant connections(connections are to Nortel Baystack 470 switches) to the clustered firewalls (fw1 and fw2), the Voyager cluster monitor shows things fine with both the master and member listed. If I unplug one of the interfaces, the member unit drops out of the cluster (seen via monitor) and things work through the new master. None of the other interfaces on the fw that dropped out however can be seen. Is this normal for the functionality of the cluster?

Question by:Wookie68
    LVL 18

    Accepted Solution

    I assume you are using Nokia VRRP clustering?  ie this is active/passive, as opposed to the active/active load balancing of IP Clustering?

    Can you confirm it is indeed VRRP you are using?

    Also, it seems that you have the cluster interfaces (ie the interfaces on each node that participates in the cluster) configured as such that any issue on any interface, will immediately cause the node to declare itself as not able to act as master, so it drops itself out of the cluster and you fail over to the other node.  As far as I can remember (I would need to quickly lab this up to be 100%) but the issue you see may be normal, ie a node not able to participate in a cluster due to a downed interface, should not be listed as available in any way.

    What may help, is if you can run the following commands in the CLI of each cluster member

    cphaprob stat
    cphaprob -i list

    This will give us what Check Point sees on the devices.

    If it is indeed VRRP, can you also run this on the CLI on each firewall

    (this will take you into a different CLI prompt)
    then run
    show vrrp
    show vrrp summary

    If you can, a screenshot of the 3rd part clustering tab of the cluster in dashboard would help us understand this a bit better.  Once we have a clearer idea on your set up, we can confirm/deny what the actions should be

    Author Comment

    No, I am using HA clustering with the multicast option. Did some digging today and found others that have had issues with the multicast clustering based on the switches used in the network. Turns out my Nortel switches are not liking the Virtual IP and Gateway sharing the same MAC address. I haven't tried the solution with the switches, but most everyone with my switches switched over to clustering via VRRP, which is my next move tomorrow. You are dead on as to why the member drops out when I unplug an interface... turns out that it is normal as you said. Thanks for the help!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now