Testing and Troubleshooting the High Availability Cluster Configuration
You can use the APIs to retrieve information about the cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. resource group.
Use these commands on each Cluster Member to confirm that the cluster operates correctly
cphaprob state
cphaprob -a if
Example:
[Expert@HostName:0]# cphaprob state
Cluster Mode: High Availability (Active Up) with IGMP Membership
ID Unique Address Assigned Load State
1 (local) 11.22.33.245 0% Active
2 11.22.33.246 10% Standby
|
Use the cluster configuration test script on each Cluster Member to confirm that it is configured correctly.
The script verifies:
-
The configuration file is defined in
$FWDIR/conf/gcp-ha.json. -
A Primary DNS server is configured and works.
-
The machine is set up as a Cluster Member
Security Gateway that is part of a cluster.. -
IP forwarding
Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". is enabled on all network interfaces of the Cluster Member. -
Calibration of ClusterXL
Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. configuration for GCP Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more..
To check the configuration, run the following script on each Cluster Member:
-
Connect to the command line.
- Log in to the Expert mode.
-
Run the script with this command (do not change the syntax):
$FWDIR/scripts/google_ha_test.pyIf all tests were successful, this message opens: All tests were successful! Otherwise, an error message is displayed with information about how to troubleshoot the problem.
Common configuration errors:
| Message | Recommended Action |
|---|---|
|
|
Make sure the configuration file is correct. |
|
|
The Cluster Member is not configured with a DNS server. |
|
|
Confirm that DNS resolution on the Cluster Member works. |
|
|
Make sure the Cluster Member configuration on the Check Point Security Management Server |
|
|
Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member. |
|
|
The GCP Cluster Member configuration is not up-to-date, or is written incorrectly. |
|
|
Failed to login with the credentials provided. See the exception text to understand why. |
|
|
Make sure the GCP daemon has access to GCP. |
Follow these steps to simulate a cluster failover
For example, shut down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. the internal interface of the Active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. Cluster Member.
-
On the current Active Cluster Member, run in the Expert Mode:
clusterXL_admin down -
After a few seconds, the second Cluster Member has to report itself as the Active Cluster Member.
Examine the cluster state on each Cluster Member. Run in the Expert Mode:
cphaprob state -
On the former Active Cluster Member, run from the Expert Mode:
clusterXL_admin up
If you experience issues:
To make the networking changes automatically, the Cluster Members have to communicate with GCP. This requires HTTPS connections over TCP port 443 to the GCP end points. Make sure that the Security Policy that is installed on the Cluster Members allows for this type of communication.
Using the GCP High Availability Daemon
The cluster solution in GCP uses the daemon to make API calls to GCP when a cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. takes place. This daemon uses a configuration file, $FWDIR/conf/gcp-ha.json, on each Cluster Member.
When you deploy the above solution from the supplied template , a configuration file is automatically created .
The configuration file is in JSON format and contains these attributes:
| Attribute's Name | Type | Value |
|---|---|---|
|
|
Boolean |
True or False |
|
|
String |
Name of the cluster's external, primary public IP address |
|
|
String |
Name of the cluster's external, secondary public IP address |
|
|
String |
IP range for updating |
You can confirm that the daemon in charge of communicating with GCP runs on each Cluster Member.
From Expert Mode, run:
|
|
The output should be similar to this example:
Notes
The script appears in the output.
The STAT column should show E (executing).
The #START column should show 1 (the number of times this script was started by the Check Point Watchdog).
To troubleshoot issues related to this daemon, generate debug.
From Expert Mode, run:
|
|
To enable debug printouts, edit the file according to the following:
#{
"debug": true,
"public_ip": "XXX-primary-cluster-address",
"secondary_public_ip": "XXX-secondary-cluster-address",
"dest_ranges": ["0.0.0.0/0"]
}
|
To disable debug printouts, edit the file according to the following:
#{
"debug": false,
"public_ip": "XXX-primary-cluster-address",
"secondary_public_ip": "XXX-secondary-cluster-address",
"dest_ranges": ["0.0.0.0/0"]
}
|
To change the destination ranges, edit the file according to the following:
#{
"debug": false,
"public_ip": "XXX-primary-cluster-address",
"secondary_public_ip": "XXX-secondary-cluster-address",
"dest_ranges": ["<NEW CIDR>"]
}
|
To set multiple destination ranges (supported starting images with build 904), edit the file according to the following:
#{
"debug": false,
"public_ip": "XXX-primary-cluster-address",
"secondary_public_ip": "XXX-secondary-cluster-address",
"dest_ranges": ["<NEW CIDR1>", "<NEW CIDR2>", "<NEW CIDR3>"]
}
|
Follow these steps to load the configuration
-
Kill the GCP daemon. Run in the Expert mode:
ps aux | grep hadkillall had -
Make sure the process is running.
ps aux | grep had -
In the Expert mode, run:
cpwd_admin list | grep -E "PID|GCP_HAD"
The debug output is written to $FWDIR/log/gcp_had.elg* files.