Testing and Troubleshooting
You can use the APIs to retrieve information about the cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. resource group.
Use these commands on each Cluster Member to confirm that the cluster operates correctly:
Run these commands in the Expert mode:
|
|
|
|
Example:
|
|
Use the cluster configuration test script on each Cluster Member to confirm it is configured correctly:
The script verifies:
-
The configuration is defined in the
$FWDIR/conf/azure-ha.jsonfile, which is created by the ARM Microsoft® Azure Resource Manager. Technology to administer assets using Resource Group. template. -
A Primary DNS server is configured and works.
-
The machine is set up as a Cluster Member
Security Gateway that is part of a cluster.. -
IP forwarding is enabled on all network interfaces of the Cluster Member.
-
It is possible to use the APIs to retrieve information about the cluster's resource group.
-
It is possible to log in to Azure with the Azure credentials in the
$FWDIR/conf/azure-ha.jsonfile. -
Calibration of ClusterXL configuration for Azure. cluster
To get the latest version of the test script:
|
|
Important - In a Cluster, you must configure all the Cluster Members in the same way. |
-
Download the latest version of the test script.
-
For R80.40 and higher, use this link.
-
For R80.30 image version R80.30.273.590 and higher, use this link.
-
For other images, use this link.
Note - To get the image version, see sk116585.
-
-
Copy the downloaded script to a directory.
-
Connect to the command line and log in to the Expert mode.
-
Back up the current
$FWDIR/scripts/azure_ha_test.pyscript:cp -v $FWDIR/scripts/azure_ha_test.py{,_backup} -
Copy the latest script to the
$FWDIR/scripts/directory:cp -v /<path to the downloaded script package>/azure_ha_test.py $FWDIR/scripts/ -
Assign the required permissions:
chmod -v 755 $FWDIR/scripts/azure_ha_test.py
To run the script on each Cluster Member:
-
Connect to the command line.
-
Log in to the Expert mode.
-
Run the script with this command (do not change the syntax):
$FWDIR/scripts/azure_ha_test.pyIf all tests were successful, this message appears:
All tests were successful!Otherwise, an error message appears with information to troubleshoot the problem.
A list of common configuration errors:
|
Message |
Recommendation |
|---|---|
|
|
|
|
|
The Cluster Member is not configured with a DNS server. |
|
|
Confirm that DNS resolution on the Cluster Member works. |
|
|
Make sure that the Cluster Member configuration on the Check Point Security Management Server |
|
|
Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member. |
|
|
The Azure Cluster Member configuration is not up-to-date or written correctly. |
|
|
Failed to log in with the credentials provided. See the exception text to understand why. |
|
|
Make sure the Azure Active Directory service account you created is designated as a Virtual Machine Contributor to the cluster resource group. |
Simulate a cluster failover:
For example, shut down the internal interface of the Active Cluster Member.
-
On the current Active Cluster Member, run in the Expert mode:
clusterXL_admin down -
In a few seconds, the second Cluster Member has to report itself as the Active Cluster Member.
Examine the cluster state on each Cluster Member in the Expert mode:
cphaprob state -
On the former Active Cluster Member, run in the Expert mode:
clusterXL_admin up
If you experience issues:
-
Make sure you have a configured Azure Active Directory Service Account.
The service has to have:
-
Virtual Machine Contributor privileges to the resource group
-
At least minimum privileges on the Cluster Member deployment resources. See Changing Template Components.
-
-
To make the networking changes automatically, the Cluster Members have to communicate with Azure. This requires HTTPS connections over TCP port 443 to the Azure end points. Make sure the Security Policy that is installed on the Cluster Members allows this type of communication.