Symptoms:
One of cluster member shows problem. It always happened on standby member. If goes into deep, you will find some of cluster member interfaces are showing down or partially up, although physically interface is up and connected properly.Related post:Â https://www.51sec.org/2016/01/24/configuring-checkpoint-gateway-forwarding-logs-to-external-syslog-server/
.png)
Log into command line on primary member:
[Expert@CP1]# cphaprob stat
Cluster Mode: Â New High Availability (Active Up)
 with IGMP Membership
Number   Unique Address  Assigned Load  State  Â
1 (local)  1.1.1.1     100%       Active  Â
2      1.1.1.2     0%        Down   Â
On standby checkpoint member :
[Expert@CP2]# cphaprob stat
Cluster Mode: Â New High Availability (Active Up)
 with IGMP Membership
Number   Unique Address  Assigned Load  State Â
1 Â Â Â Â Â 1.1.1.1 Â Â Â Â 100% Â Â Â Â Â Â Active Â
2 (local)  1.1.1.2     0%        Down  Â
[Expert@CP2]# cphaprob -i list
Built-in Devices:
Device Name: Interface Active Check
Current state: problem
Device Name: HA Initialization
Current state: OK
Registered Devices:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 93466.5 sec
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 93439.2 sec
Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.2 sec
Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.2 sec
[Expert@CP2]# cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
DMZ Â Â Â Â UP Â Â Â Â Â Â Â Â Â Â non sync(non secured), multicast
Internal  Inbound: DOWN (10.9 secs)   Outbound: DOWN (88822.4 secs) non sync(non secured), multicast
Lan1 Â Â Â UP Â Â Â Â Â Â Â Â Â Â sync(secured), multicast
External  Inbound: DOWN (88822.4 secs) Outbound: DOWN (89001.8 secs) non sync(non secured), multicast
Virtual cluster interfaces: 3
DMZ Â Â Â Â Â Â 100.9.2.30 Â Â
Internal     100.9.40.1  Â
External     100.9.38.20
Solution:Â
Change Cluster mode from Multicast mode to Broadcast mode. From command line, it is "cphaconf set_ccp broadcast". This change does not require system reboot or cpstop/cpstart. Also it can survive reboot.[Expert@CP1]# cphaconf set_ccp broadcast
[Expert@CP1]# cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
DMZ Â Â Â Â UP Â Â Â Â Â Â Â Â Â Â non sync(non secured), broadcast
Internal  UP           non sync(non secured), broadcast
Lan1 Â Â Â UP Â Â Â Â Â Â Â Â Â Â sync(secured), broadcast
External  UP           non sync(non secured), broadcast
Virtual cluster interfaces: 3
DMZ Â Â Â Â Â Â 10.99.2.30 Â Â Â
Internal     10.99.140.1   Â
External     10.99.138.20   Â
[Expert@CP1]# cphaprob stat
Cluster Mode: Â New High Availability (Active Up)
 with IGMP Membership
Number   Unique Address  Assigned Load  State  Â
1 (local)  1.1.1.1     100%       Active  Â
2 Â Â Â Â Â 1.1.1.2 Â Â Â Â 0% Â Â Â Â Â Â Â Standby Â
[Expert@CP2]# cphaconf set_ccp broadcast
[Expert@CP2]# cphaprob stat
Cluster Mode: Â New High Availability (Active Up)
 with IGMP Membership
Number   Unique Address  Assigned Load  State  Â
1      1.1.1.1     100%       Active  Â
2 (local) Â 1.1.1.2 Â Â Â Â 0% Â Â Â Â Â Â Â Standby Â
[Expert@CP2]# cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
DMZ Â Â Â Â UP Â Â Â Â Â Â Â Â Â Â non sync(non secured), broadcast
Internal  UP           non sync(non secured), broadcast
Lan1 Â Â Â UP Â Â Â Â Â Â Â Â Â Â sync(secured), broadcast
External  UP           non sync(non secured), broadcast
Virtual cluster interfaces: 3
DMZ Â Â Â Â Â Â 100.9.2.30 Â Â Â
Internal     100.9.40.1   Â
External     100.9.38.20   Â
Note: To softly switch cluster statue between cluster member, use this command "clusterXL_admin <up|down> [-p]"
[Expert@CP]# clusterXL_admin up
Setting member to normal operation ...
Member current state is Standby
No comments:
Post a Comment