Troubleshooting

Issue

Solution

How to enable debugging on each Cluster MemberClosed Security Gateway that is part of a cluster.?

From the ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member (either one), run in the Expert mode:

  • python3 $FWDIR/scripts/aws_ha_cli.py stop

  • python3 $FWDIR/scripts/aws_ha_cli.py --debug reconf

Debug output is written to:

$FWDIR/log/aws_had.elg

To disable debugging, you MUST run the following command on each Cluster Member:

python $FWDIR/scripts/aws_ha_cli.py restart

What permissions are required for the CloudGuard Security Cluster Members IAM role?

Copy

Example of a JSON script

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute",
        "ec2:AssignPrivateIpAddresses",
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateRoute"
        ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

 

IAM roles, not properly configured, will prevent the Cluster Members from communicating with AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. to make networking changes if a Cluster Member failure occurs.

Experiencing issues with Cluster

Verify that the script in charge of communicating with AWS is running on each Cluster Member.

On the Cluster Member (either one), run in the Expert mode:

cpwd_admin list | grep -E "PID|AWS_HAD"

The output should have a line like similar to:

Notes -

  • The script must appear in the output.

  • The "STAT" column must show "E" ("Executing").

  • The "#START" column must show "1" - this is how many times this script was started by the Check Point WatchDog.

Testing the environment

For testing the Cluster environment, run in the Expert mode:

$FWDIR/scripts/aws_ha_test.py

This will run tests that verifies:

  • A Primary DNS server is configured.

  • DNS resolution works.

  • Access from the Cluster Member to the AWS metadata service (HTTP to 169.254.169.254) is available.

  • The instance set up includes an IAM role.

  • IAM credentials are available.

  • Access from the Cluster Member to the AWS web service endpoint (over TCP port 443) is available.

  • The IAM credentials allow the instance to make API calls into AWS.

  • The cluster is configured with at least one internal interface.

  • For each Cluster Member interface, there exists a corresponding AWS ENI (Elastic Network Interface) sharing the same primary private address.

  • All Cluster Member interfaces have the source and, or destination check disabled.

  • Compares the system clock to the time reported by AWS.

Routing tables (RTB) do not fail over with AWS cluster members when more than one RTB is configured

Refer to sk121598.

During failover, the AWS route tables do not change their route from the failed member to standby active member