Hi, I currently have an issue with Cluster XL (R65 HFA40) and was wondering if anyone has ever encountered such a thing and could shed some light. Please bear with me as this is lengthy.
I'm installing a pair of NGX R65 HFA40 SPLAT 2.4 firewalls in High-Availability ClusterXL mode on open Check Point certified servers. Distributed installation goes all well, set everything up and dandy in the Dashboard, triple checked my IP configuration scheme. After the initial SIC and installation push, all goes well. I quickly notice however that one of the two cluster members, call it A & B, "A" has an issue with the ClusterXL module and "B" is the active one. I try forcing A to higher priority but it will not take lead. Further troubleshooting indicates that I also can't reach the "A" box on any service (ssh/icmp/https) from an explicitly defined management IP in the rulebase. Funny thing is SIC is still up and I got no issues when pushing a security policy to the cluster (Option to install all-or-nothing on both cluster members is checked). I can't reach the sync interface of A via the "B" machine either. I've also noticed a LOT of packet loss when both members are "UP", slowing network traffic to a crawl (TCP packet out of state in Tracker). As soon as I take "A" offline completely (fw unloadlocal and cpstop) and remove it from the dashboard config, everything comes back normally and traffic is lightning fast. Upon closer inspection of /var/log/messages on both machines, I noticed the following error message: ""CPHA: Found another machine with same cluster ID..."" SK#i3780 indicates that this is due to the fact that two distinct clusters (with same cluster ID) are present on the same switch/router/telecom equipment and the solution is to change the cluster ID of one of 2 clusters to something distinct. Now I'm not even why Check Point is detecting A and B as two distinct clusters instead of two members of the SAME cluster. I have a ticket opened with Check Point but wanted to see if the community had any inputs. Thanks PS: SCS is R70 on a Windows machine on a different server. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
