IP390 Cluster dropping member

Hello All -

I'm new to Checkpoint firewalls and the Smart Center but must admit that I am learning things all the time. I've defined a cluster consisting of 2 IP390s using Nokia's clustering. (NGX R65, IPSO 4.2) The interfaces are standard set up with x.x.x.1, x.x.xx.2, x.x.x.3 representing the virtual/cluster IP, interface on firewall 1 and interface on firewall 2 respectively. This is for 6 of 7 ports in the cluster with the 7th one being set up as the sync interface. When I have redundant connections(connections are to Nortel Baystack 470 switches) to the clustered firewalls (fw1 and fw2), the Voyager cluster monitor shows things fine with both the master and member listed. If I unplug one of the interfaces, the member unit drops out of the cluster (seen via monitor) and things work through the new master. None of the other interfaces on the fw that dropped out however can be seen. Is this normal for the functionality of the cluster?

deimarkConnect With a Mentor Commented:
I assume you are using Nokia VRRP clustering?  ie this is active/passive, as opposed to the active/active load balancing of IP Clustering?

Can you confirm it is indeed VRRP you are using?

Also, it seems that you have the cluster interfaces (ie the interfaces on each node that participates in the cluster) configured as such that any issue on any interface, will immediately cause the node to declare itself as not able to act as master, so it drops itself out of the cluster and you fail over to the other node.  As far as I can remember (I would need to quickly lab this up to be 100%) but the issue you see may be normal, ie a node not able to participate in a cluster due to a downed interface, should not be listed as available in any way.

What may help, is if you can run the following commands in the CLI of each cluster member

cphaprob stat
cphaprob -i list

This will give us what Check Point sees on the devices.

If it is indeed VRRP, can you also run this on the CLI on each firewall

(this will take you into a different CLI prompt)
then run
show vrrp
show vrrp summary

If you can, a screenshot of the 3rd part clustering tab of the cluster in dashboard would help us understand this a bit better.  Once we have a clearer idea on your set up, we can confirm/deny what the actions should be
Wookie68Author Commented:
No, I am using HA clustering with the multicast option. Did some digging today and found others that have had issues with the multicast clustering based on the switches used in the network. Turns out my Nortel switches are not liking the Virtual IP and Gateway sharing the same MAC address. I haven't tried the solution with the switches, but most everyone with my switches switched over to clustering via VRRP, which is my next move tomorrow. You are dead on as to why the member drops out when I unplug an interface... turns out that it is normal as you said. Thanks for the help!
