High Availability

In This Section: VRRP Advanced VRRP Troubleshooting VRRP

VRRP

Virtual Routing Redundancy Protocol (VRRP) is a high-availability solution where two Gaia Security Gateways can provide backup for each other. Gaia offers two ways to configure VRRP:

• Advanced VRRP - Every VRRP interface must be explicitly configured to monitor every other VRRP interface
• Simplified/Monitored Circuit VRRP - All the VRRP interfaces automatically monitor other VRRP interfaces

Important - You cannot have a standalone deployment (Security Gateway and Security Management Server on the same computer) in a Gaia VRRP cluster.

Understanding VRRP

Each VRRP cluster, known as a Virtual Router, has a unique identifier, known as the VRID (Virtual Router Identifier). A Virtual Router can have one or more virtual IP addresses (VIP) to which other network nodes connect as a final destination or the next hop in a route.

By assigning a virtual IP address (VIP), you can define alternate paths for nodes configured with static default routes. Only the master is assigned a VIP. The backup is assigned a VIP upon failover when it becomes the master. Nodes can have alternate paths with static default routes in the event of a failure. Static default routes minimize configuration and processing overhead on host computers.

Terminology

The conceptual information and procedures in this chapter use standard VRRP terminology. This glossary contains basic VRRP terminology and a reference to related Check Point ClusterXL terms.

VRRP Term	ClusterXL Term	Definition
VRRP Cluster	Cluster	A group of Security Gateways that provides redundancy.
VRRP Router	Member	A Security Gateway using the VRRP protocol that is a member of one or more Virtual Router. In this guide, a VRRP Router is commonly called a Security Gateway.
Master	Primary (active) member	The Security Gateway (Security Gateway) that handles traffic to and from a Virtual Router. The master is the Security Gateway with the highest priority in a group. The master inspects traffic and enforces the security policy.
Backup	Backup (standby) member	A redundant Security Gateway (Security Gateway) that is available to take over for the master in the event of a failure.
VRID	Cluster name	Unique Virtual Router identifier The VRID is the also last byte of the MAC address.
VIP	Cluster IP address	Virtual IP address assigned to a Virtual Router. VIPs are routable from internal and/or external network resources. The VIP is called Backup Address in the WebUI.
VMAC		Virtual MAC address assigned to a Virtual Router.
VRRP Transition	Failover	Automatic change over to a backup Security Gateway when the primary Security Gateway fails or is unavailable. The term 'failover' is used frequently in this guide.

VRRP Types

You can configure VRRP using one of these types:

• Simplified/Monitored Circuit VRRP

  The simplified Monitored Circuit VRRP configuration contains all of the basic parameters and is applicable for most environments. When using the simple method, you configure each Virtual Router as one unit.

• Advanced VRRP

  Use this procedure if you are working with:

  • A system on which VRRP has already been configured using this method
  • An environment where you also want to monitor interfaces that are not running VRRP

You cannot use the Simple and Advanced types together on the same Security Gateway.

How Failover Works

Each Virtual Router (VRRP Group) is identified by a unique Virtual Router ID (VRID). A Virtual Router contains one Master Security Gateway and at least one Backup Security Gateway. The master sends periodic VRRP advertisements (known as hello messages) to the backups.

VRRP advertisements also broadcast the operational status of the master to the backups. Gaia uses dynamic routing protocols to advertise the VIP of the Virtual Router (virtual IP address or backup address).

Notes:

• Gaia supports OSPF on VPN tunnels that terminate at a VRRP group.
• Active/passive VRRP environments are supported with ClusterXL enabled. If ClusterXL is not enabled, active/active environments can be deployed.

If the master or its interfaces fails, VRRP uses a priority algorithm to make the decision if failover to a backup is necessary. Initially, the master is the Security Gateway that has the highest defined priority value. You define a priority for each Security Gateway when you create a Virtual Router or change its configuration. If two Security Gateways have same priority value, the platform that comes online and broadcasts its VRRP advertisements first becomes the master.

Gaia also uses priorities to select a backup Security Gateway upon failover (when there is more than one backup available). In the event of failover, the Virtual Router priority value is decreased by a predefined Delta value to calculate an Effective Priority value. The Virtual Router with the highest effective priority becomes the new master.

Understanding Monitored-Circuit VRRP

Monitored-circuit VRRP prevents connection issues caused by asymmetric routes when only one interface on a master fails (not the master itself). This problem occurs in environments where a gateway is a member of two or more Virtual Routers, typically one with internal interfaces and the other with external interfaces.

For example, when an external interface fails, the master fails over only for the external Virtual Router. The master for the internal Virtual Router does not fail over. This can cause connectivity problems when the internal Virtual Router accepts traffic and is unable to connect to the new external master.

When using the simplified method, Monitored-circuit VRRP monitors all VRRP interfaces on the Security Gateways. When using Advanced VRRP, you configure each interface in a Virtual Router separately. If one interface on a master fails, it releases priority for all VRRP interfaces on that master. This lets the master fail over on all Virtual Routers that include the failed master.

To release the priority, Gaia uses the priority delta value. This is a Check Point proprietary parameter that you define when configuring a Virtual Router. The priority algorithm subtracts the priority delta from the priority value to calculate an effective priority. If you configure your system correctly, the effective priority will be lower than the backup gateway priority in the other Virtual Routers. This causes the problematic master to fail over for the other Virtual Routers as well.

Note - If the effective priority for the current master and backup are the same, the gateway with the highest IP address becomes the master.

See Configuring Monitored-Circuit VRRP using the Simplified Method and Configuring Advanced VRRP for configuration details.

Typical VRRP Use Cases

This section shows examples of some use case VRRP environments.

Internal Network High Availability

This is a simple VRRP high availability use case where Security Gateway1 is the master and Security Gateway 2 is the backup. Virtual Router redundancy is available only for connections to and from the internal network. There is no redundancy for external traffic.

Item	Description
1	Master Security Gateway
2	Backup Security Gateway
3	Virtual Router VRID 5 - Virtual IP Address (Backup Address) is 192.168.2.5
4	Internal Network and hosts

Internal and External Network High Availability

This use case shows an example of an environment where there is redundancy for internal and external connections. Here, you can use one Virtual Routers for the two Security Gateways, for internal and for external connections. The internal and external interfaces must be on different subnets. Define one Security Gateway as the master and one as a backup.

Item	Description
1	Virtual Router VRID 5. External Virtual IP Address (Backup Address) is 192.168.2.5
2	Master Security Gateway
3	Backup Security Gateway
4	Virtual Router VRID 5. Internal Virtual IP Address (Backup Address) is 192.168.3.5
5	Internal network and hosts

Preparing a VRRP Cluster

Do these steps before you start to define a Virtual Router (VRRP Group).

1. Synchronize the system time on all Security Gateways to be included in this Virtual Router.

   Best Practice - We recommend that you enable NTP (Network Time Protocol) on all Security Gateways.
   You can also manually change the time and time zone on each Security Gateway to match the other members. In this case, you must synchronize member times to within a few seconds.

2. Optional: Add host names and IP address pairs to the host table on each Security Gateway. This lets you use host names as an alternative to IP addresses or DNS servers.

Configuring Network Switches

Best Practice - If you use the Spanning Tree protocol on Cisco switches connected to Check Point VRRP clusters, we recommend that you enable PortFast. PortFast sets interfaces to the Spanning Tree forwarding state, which prevents them from waiting for the standard forward-time interval.

If you use switches from a different vendor, we recommend that you use the equivalent feature for that vendor. If you use the Spanning Tree protocol without PortFast, or its equivalent, you may see delays during VRRP failover.

Enabling Virtual Routers

When you log into Gaia for the first time after installation, you must use the First Time Wizard to the initial configuration steps. To use VRRP Virtual Routers (clusters), you must first enable VRRP clustering in the First Time Wizard.

To enable VRRP clustering:

1. Install Gaia using the instructions in the R77 Installation and Upgrade Guide.
2. On the First Time Wizard Products page, select Security Gateway.
   Do not select Security Management. The standalone environment (Security Gateway and Security Management Server) is not supported for VRRP.
3. Select Unit is part of a cluster.
4. Select VRRP Cluster from the list.
5. Continue with the next steps in the wizard.
6. When prompted to reboot the Security Gateway, click Cancel.
   Do not reboot.
7. Do one of these steps:
   • Run cpconfig on the Security Gateway. Select Enable cluster membership for this gateway to enable FW sync.

     Note - This is the most common use and does not support active/active mode. You must configure VRRP so that the same cluster member is the VRRP master on all interfaces. Dynamic routing configuration must match on each cluster member.

     OR:

   • Do not enable ClusterXL.

     Note - This is useful when each cluster member is required to be the VRRP master at the same time. You can configure multiple VRRP virtual routers on the same interface. Each cluster member can be the VRRP master for a different VRID on the same interface while it backs up the other. This configuration can also help run VRRP in a High-Availability pair with a device from another vendor. Disable VRRP’s monitoring of the FW when you use this configuration. It is enabled by default but not supported with this configuration

8. Enter y when prompted.
9. Reboot the Security Gateway.

Do this procedure for each Virtual Router member.

When you complete this procedure for each VRRP member, do these steps in the WebUI:

1. Select VRRP from the navigation tree.
2. Make sure that the Disable All Virtual Routers option is not selected.

When you complete these procedures, define your Virtual Routers using the WebUI or the CLI.

Configuring Global Settings for VRRP

This section includes shows you how to configure the global settings. Global settings apply to all Virtual Routers.

Configure these global settings:

1. Cold Start Delay - Delay period in seconds before a Security Gateway joins a Virtual Router.
   Default = 0.
2. Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled.
3. Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This feature is enabled by default, which is the recommended setting for Security Gateways.

   Important - If you disable Monitor Firewall State, VRRP can assign master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have master status.

Configuration Notes 

Gaia starts to monitor the firewall after the cold start delay completes. This can cause some problems:

• If all the Security Gateway (member) interfaces in a Virtual Router fail, all Security Gateways become backups. None of the Security Gateways can become the master and no traffic is allowed.
• If you change the time on any of the Security Gateways (member), a failover occurs automatically.
• In certain situations, installing a firewall policy causes a failover. This can happen if it takes a long time to install the policy.

Configuring Simplified/Monitored Circuit VRRP - WebUI

This section includes the basic procedure for configuring a Virtual Router.

To add a new Virtual Router:

1. In the navigation tree, select VRRP.
2. In the Virtual Routers section, click Add.
3. In the Add Virtual Router window, configure these parameters:
   • Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid values is 1 to 255.
   • Priority - Enter the priority value, which selects the Security Gateway that takes over in the event of a failure. The Security Gateway with the highest available priority becomes the new master. The range of valid values 1 to 254. The default setting is 100.
   • Hello Interval - (optional) Select the number of seconds, after which the master sends its VRRP advertisements. The valid range is between 1 (default) and 255 seconds.
     
     All VRRP routers on a Security Gateways must be configured with the same hello interval. Otherwise, more than one Security Gateway can be in the master state.
     
     The hello interval also defines the failover interval (the time a backup router waits to hear from the existing master before it takes on the master role). The value of the failover interval is three times the value of the hello interval (default - 3 seconds).
   • Authentication:
     none - No authentication necessary
     simple - A password is required for authentication
     
     You must use the same authentication method for all Security Gateways in a Virtual Router.

     If you select simple, enter a password in the applicable field.

   • Priority Delta - Enter the value to subtract from the Priority to create an effective priority when an interface fails. The range is 1-254.
     
     If an interface fails on the backup, the value of the priority delta is subtracted from its priority. This gives a higher effective priority to another Security Gateway member.
     
     If the effective priority of the current master is less than that of the backup, the backup becomes the master for this Virtual Router. If the effective priority for the current master and backup are the same, the gateway with the highest IP address becomes the master.
4. In the Backup Addresses section, click Add. Configure these parameters in the Add Backup Address window:
   • IPv4 address - Enter the interface IPv4 address.
   • VMAC Mode - Select one of these Virtual MAC modes:
     • VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically set to the same value on all Security Gateways in the Virtual Router. This is the default setting.
     • Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs. This is because they are dependent on the physical interface MAC address of the currently defined master.

   Note - If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT.

   • Static - Manually set the VMAC address. Enter the VMAC address in the applicable field.
   • Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router.

   Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.

   Click Save. The new VMAC mode shows in the in the Backup Address table.

5. To remove a backup address, select an address and click Delete. The address is removed from the Backup Address table.
6. Click Save.

Configuring Simplified/Monitored Circuit VRRP - CLI (mcvr)

Description

Use the mcvr command to configure Simplified/Monitored Circuit VRRP on a single gateway.

Syntax

Add and Delete commands

add mcvr vrid VALUE priority VALUE priority-delta VALUE
	[hello-interval VALUE authtype VALUE password VALUE]

add mcvr vrid VALUE backup-address VALUE vmac-mode VALUE [static-mac VALUE]

delete mcvr vrid VALUE

Important - The order that you run the add mcvr commands is important. Make sure that you run add mcvr vrid VALUE priority VALUE priority-delta VALUE first.

Set Commands

set mcvr vrid VALUE authtype VALUE [password VALUE]

set mcvr vrid VALUE backup-address VALUE vmac-mode VALUE [static-mac VALUE]

set mcvr vrid VALUE hello-interval VALUE

set mcvr vrid VALUE priority VALUE

Show commands

show mcvr vrid VALUE all

show mcvr vrid VALUE authtype

show mcvr vrid VALUE backup-addresses

show mcvr vrid VALUE hello-interval

show mcvr vrid VALUE password

show mcvr vrid VALUE priority

show mcvr vrid VALUE priority-delta

show mcvr vrids

Parameters

Parameter	Description
vrid	Enter a unique ID number for this virtual router. The range of valid values is 1 to 255.
authtype	none - No authentication necessary simple - A password is required for authentication You must use the same authentication method for all Security Gateways in a Virtual Router.
backup-addresses	This is the virtual IP address (VIP) for this Virtual Router. You can define more than one address for a Virtual Router. This IP address must be on the same subnet as an interface on the physical Security Gateway. The IP address must not match the IP address for another device on the subnet. You must configure the same backup address on each physical Security Gateway in the Virtual Router.
vmac-mode	VRRP - Sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all Security Gateways in a Virtual Router. This is the default. Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs because they are dependent on the physical interface MAC address of the current master. Static - Manually set the VMAC address. Enter the VMAC address after the static-mac keyword. Note - If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT. Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router. Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.
static-mac	If the vmac-mode parameter is set to static, you enter the static VMAC address.
hello-interval	(optional) Select the number of seconds, after which the master sends its VRRP advertisements. The valid range is between 1 (default) and 255 seconds. All VRRP routers on a Security Gateways must be configured with the same hello interval. Otherwise, more than one Security Gateway can be in the master state. The hello interval also defines the failover interval (the time a backup router waits to hear from the existing master before it takes on the master role). The value of the failover interval is three times the value of the hello interval (default - 3 seconds).
password	Enter an authentication password. This parameter is only relevant if the authtype value is set to simple.
priority	Enter the priority value, which selects the Security Gateway that takes over in the event of a failure. The Security Gateway with the highest available priority becomes the new master. The range of valid values 1 to 254.
priority delta	Enter the value to subtract from the Priority to create an effective priority when an interface fails. The range is 1-254. If an interface fails on the backup, the value of the priority delta is subtracted from its priority. This gives a higher effective priority to another Security Gateway member. If the effective priority of the current master is less than that of the backup, the backup becomes the master for this Virtual Router. If the effective priority for the current master and backup are the same, the gateway with the highest IP address becomes the master.
vrids	Shows all Virtual Routers.

Configuring the VRRP Security Gateway Cluster in SmartDashboard

1. From the Networks Objects tree, select Check Point > Security Cluster > Check Point appliance/ Open Server.

   The Security Gateway Cluster Creation window opens

2. Choose Wizard Mode.
3. Define the:
   • Cluster Name
   • Cluster IPv4 Address
   • For an IPv6 cluster: Cluster IPv6 Address
4. Choose the Cluster's Solution: Gaia VRRP.
5. Click Finish.

Configuring VRRP Rules for the Security Gateway

1. Define this rule above the Stealth Rule in the Rule Base:

Where:

• Firewalls -Simple Group object containing the firewall objects.
• fwcluster-object - the VRRP cluster object.
• mcast-224.0.0.18 - Node Host object with the IP address 224.0.0.18.

1. If your Security Gateways use dynamic routing protocols (such as OSPF or RIP), create new rules for each multicast destination IP address.

   Alternatively, you can create a Network object to show all multicast network IP destinations with these values:

   • Name: MCAST.NET
   • IP: 224.0.0.0
   • Net mask: 240.0.0.0

   You can use one rule for all multicast protocols you agree to accept, as shown in this example:

Advanced VRRP

Advanced VRRP lets you configure Virtual Routers at the interface level. This section contains only those procedures that are directly related to Advanced VRRP configuration. The general procedures for configuring VRRP clusters are included in the VRRP sections.

With Advanced VRRP, you must configure every Virtual Routers to monitor every VRRP interface.

To change from Advanced VRRP to Simplified/Monitored Circuit VRRP:

1. Delete all existing Virtual Routers.
2. Create new Virtual Routers in accordance with the procedures.

You cannot move a backup address from one interface to another while a Security Gateway is a master. Do these steps to delete and add new interfaces with the necessary IP addresses:

1. Cause a failover to the backup.
2. Reduce the priority or disconnect an interface.
3. Delete the Virtual Router on the interface.
4. Create new Virtual Router using the new IP address.
5. Configure the Virtual Router as before.

Configuring Advanced VRRP - WebUI

To add a virtual router:

1. In the Virtual Routers section, click Add. The Add New Virtual Router window opens.
2. In Virtual Router ID, select the ID number of the virtual router.
3. In Interface, select the interface for the virtual router.
4. In Priority, select the priority value. The priority value determines which router takes over in the event of a failure. The router with the higher priority becomes the new master. The range of values for priority is 1 to 254. The default setting is 100.
5. In Hello Interval, select the number of seconds at which the master sends VRRP advertisements. The range is 1-255 seconds (1 is default).

   All nodes of a given Virtual Router must have the same hello Interval. If not, VRRP discards the packet and both platforms go to master state.

   The hello interval also determines the failover interval; that is, how long it takes a backup router to take over from a failed master. If the master misses three hello advertisements, it is considered to be down because the minimum hello interval is 1 second, therefore the minimum failover time is 3 seconds (3 * Hello_interval).

6. In Preempt Mode, if you keep it selected (the default), when the original master fails, a backup system becomes the acting master. When the original master returns to service, it becomes master again.

   If you clear it, when the original master fails, a backup system becomes the acting master, and the original does not become master again when it returns to service.

7. In Auto-deactivation, if you keep it clear (the default), a virtual router with the lowest priority available (1) can become master if no other Security Gateways exist on the network.

   If you select it, the effective priority can become 0. With this priority, the virtual router does not become the master even if there are no other Security Gateways on the network. If you enable Auto-deactivation, you should also configure the Priority and Priority Delta values to be equal so that the effective priority becomes 0 if there is a VRRP failure.

8. For each Virtual Router, a virtual MAC (VMAC) address is assigned to the VIP. The VMAC address is included in all VRRP packet transmissions as the source MAC address. The physical MAC address is not used.

   In VMAC Mode, select the mode:

   • VRRP—the default mode. Gaia sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all nodes of a Virtual Router.
   • Interface—Gaia sets the VMAC to the MAC address of the local interface. If you select Interface mode for both master and backup, the VMAC is different for each. The VRRP IP addresses are associated with different VMACs because they depend on the MAC address of the physical interfaces of the platform that is master at the time.

     Note - If you configure different VMACs on the master and backup, you must choose the correct proxy ARP setting for Network Address Translation.

   • Static—select this mode if you want to set the VMAC address manually. Then enter the 48-bit VMAC address in the Static VMAC text field.
   • Extended—similar to VRRP mode, except the system dynamically calculates three additional bytes of the interface hardware MAC address to generate a more random address. If you select this mode, Gaia constructs the same MAC address for master and backup platforms within the Virtual Router.

     Note - If you set the VMAC mode to interface or static, syslog error messages are displayed when you reboot or at failover, indicating duplicate IP addresses for the master and backup. This is expected behavior since both the master and backup routers temporarily use the same virtual IP address until they resolve into master and backup.

9. In Authentication, select None or Simple password.
   You must select the same authentication method for all nodes in the Virtual Router.
10. To add Backup Addresses:
    1. In the Backup Addresses section, click Add to add a backup address.
       The Add Backup Address window opens.
    2. In IPv4 address, enter the IPv4 address.
    3. Click Save. The address shows in the Backup Address table.
    4. To remove a backup address, select an address and click Delete.
       The address is removed from the Backup Address table.
11. To configure Monitored interfaces:
    1. In the Monitored Interfaces section, click Add, to add a backup address.
       A warning that this action locks the interface for this virtual route opens.
    2. Click OK. The Add Monitored Interface window opens.
       1. In Interface, from the drop-down list, select the interface.
       2. In Priority delta, enter the number to subtract from the priority.
          This creates an effective priority when an interface related to the backup fails. The range is 1-254.
       3. Click Save. The interface and its priority delta show in the Monitored Interfaces table.
    3. To edit a monitored interface, select an interface and click Edit. The Edit Monitored Interface window opens.
       1. Enter or select the new priority delta.
       2. Click Save.
    4. To remove a Monitored Interface, select an interface, and click Delete.
       The interface is removed from the Monitored Interfaces table.
12. Click Save.

Configuring Advanced VRRP - CLI (vrrp)

Description

Use the vrrp command to configure Global and Advanced VRRP settings.

Syntax

Set Commands

set vrrp 

	coldstart-delay VALUE

	disable-all-virtual-routers on|off

	monitor-firewall on|off

set vrrp interface VALUE 

	authtype none

	authtype simple VALUE

	monitored-circuit vrid VALUE auto-deactivation VALUE

	monitored-circuit vrid VALUE backup-address VALUE on|off

	monitored-circuit vrid VALUE hello-interval VALUE

	monitored-circuit vrid VALUE monitored-off

	monitored-circuit vrid VALUE monitored-on

	monitored-circuit vrid VALUE monitored-priority-delta VALUE

	monitored-circuit vrid VALUE off

	monitored-circuit vrid VALUE on

	monitored-circuit vrid VALUE preempt-mode VALUE

	monitored-circuit vrid VALUE priority VALUE

	monitored-circuit vrid VALUE vmac-mode default-vmac

	monitored-circuit vrid VALUE vmac-mode extended-vmac

	monitored-circuit vrid VALUE vmac-mode interface-vmac

	monitored-circuit vrid VALUE vmac-mode static-vmac VALUE off

	virtual-router vrid VALUE hello-interval VALUE

	virtual-router vrid VALUE off

	virtual-router vrid VALUE on

	virtual-router vrid VALUE vmac-mode default-vmac

	virtual-router vrid VALUE vmac-mode extended-vmac

	virtual-router vrid VALUE vmac-mode interface-vmac

	virtual-router vrid VALUE vmac-mode static-vmac VALUE

Show Commands

show vrrp

show vrrp interface VALUE

show vrrp interfaces

show vrrp stats

show vrrp summary

Parameters

Parameter	Description
coldstart-delay	Delay period in seconds before a Security Gateway joins a Virtual Router.
disable-all-virtual-routers [on|off]	on or off. Enable or disable all Virtual Routers on this Security Gateway.
monitor-firewall on|off	Monitor Security Gateway status.
vrrp interface VALUE	The name of the specified Virtual Router interface
authtype simple VALUE	Enter a password to authenticate the Virtual Router.
monitored-circuit vrid	Enter the VRID.
auto-deactivation	on or off. On would create an effective priority 0. A virtual router with 0 priority cannot become a master.
backup-address	The IPv4 address of the backup Security Gateway.
hello-interval	The number of seconds at which the master sends VRRP advertisements. The range is 1-255 seconds (1 is default).
monitored-priority-delta	If an interface associated with a backup address fails, the value of the priority delta is subtracted from the priority to yield an effective priority for the physical router. When the effective priority on the master is less than the priority of another router in the Virtual Router, a new master is selected. The range is 1-254
preempt-mode	on or off. If on, after a failover, the original master becomes master again when returns to service. If off, the backup system that becomes master, remains master. There is no default value.
priority	The router with the higher priority becomes the new master when a failure occurs. The range is 1-254. The default setting is 100.
virtual-router vrid	The virtual router ID number

Configuring VRRP Clusters in SmartDashboard

This section includes the procedure for configuring a VRRP cluster object in SmartDashboard. Only those procedures that are related to VRRP are shown here.

1. In SmartDashboard, create a new cluster object using the Classic mode.
2. Enter the VIP as the IP address.
3. On the Cluster Members page, add the physical Security Gateways included in the Virtual Router.
4. On the ClusterXL and VRRP page, select High Availability and then select VRRP from the list.
5. Select all of the options in the Advanced settings section, including Use State Synchronization.
6. On the Topology page, configure the cluster and member Security Gateway interfaces as required.

   Make sure that you configure the synchronization interfaces.

7. Configure other cluster parameters as necessary.

Troubleshooting VRRP

This section shows known issues with VRRP configurations and fixes. Read this section before contacting Check Point Technical Support.

You can log information about errors and events for troubleshooting VRRP. Enable traces for VRRP.

To enable traces for VRRP:

1. In the WebUI tree, select Routing > Routing Options.
2. In the Trace Options section, in the Filter Visible Tables Below drop down list, select VRRP.
3. In the VRRP table, select an option, and click Activate.

   The system restarts the routing subsystem and signals it to reread its configuration. The option you selected, its name and On/Off radio buttons show on the page.

General Configuration Considerations

If VRRP failover does not occur as expected, make sure that the configuration of these items.

• All Security Gateways in a Virtual Router must have the same system times. The simplest method to synchronize times is to enable NTP on all nodes of the Virtual Router. You can also manually change the time and time zone on each node to match the other nodes. It must be no more than seconds apart.
• All routers of a Virtual Router must have the same Hello Interval.
• The Priority Delta must be sufficiently large for the Effective Priority to be lower than the master router. Otherwise, when you pull an interface for a Monitored-Circuit VRRP test, other interfaces do not release IP addresses.
• You can use different encryption accelerator cards in two appliances of one Virtual Router or IP cluster (such as the Check Point Encrypt Card in one appliance, and the older Check Point Encryption Accelerator Card in a different appliance). When you do, select encryption/authentication algorithms supported on the two cards. If the encryption/authentication algorithm is supported on the master only, and you use NAT, tunnels failover incorrectly. If the encryption/authentication algorithm is supported on the master only, without NAT, tunnels are not accelerated after failover.
• Each unique Virtual Router ID must be configured with the same backup address on each gateway.
• The VRRP monitor in the WebUI might show one of the interfaces in initialize state. This might suggest that the IP address used as the backup address on that interface is invalid or reserved.
• SNMP Get on Interfaces might list the incorrect IP addresses. This results in incorrect Policy. An SNMP Get (for the Firewall object Interfaces in the GUI Security Policy editor) fetches the lowest IP address for each interface. If interfaces are created when the node is the VRRP master, the incorrect IP address might be included. Repair this problem, edit the interfaces by hand if necessary.

Firewall Policies

Configure the firewall policies to accept VRRP packets on the Gaia platform. The multicast destination assigned by the IANA for VRRP is 224.0.0.18. If the policy does not accept packets to 224.0.0.18, firewall platforms in one Virtual Router take on Master state.

Monitored-Circuit VRRP in Switched Environments

With Monitored-Circuit VRRP, some Ethernet switches might not recognize the VRRP MAC address after a master to backup change. This is because many switches cache the MAC address related to the Ethernet device attached to a port. When failover to a backup router occurs, the Virtual Router MAC address changes to a different port. Switches that cache the MAC address might not change to the correct port during a VRRP change.

To repair this problem, you can take one of these actions:

1. Replace the switch with a hub.
2. Disable MAC address caching on the switch, or switch ports that the security platforms are connected to.

   It might be not possible to disable the MAC address caching. If so, set the address aging value sufficiently low that the addresses age out each second or two. This causes more overhead on the switch. Therefore, find out if this is a viable option for the model of switch you run.

The Spanning Tree protocol prevents Layer 2 loops across multiple bridges. Spanning-Tree can be enabled on the ports connected to the two sides of a VRRP pair. It can also see multicast Hello Packets come for the same MAC address from two different ports. When the two occur, it can suggest a loop, and the switch blocks traffic from one port. If a port is blocked, no security platforms in the VRRP pair can get Hello Packets from other. In which instance, the two of them enter the master router state.

If possible, turn off Spanning-Tree on the switch to resolve this issue. But, this can have deleterious effects if the switch is involved in a bridging loop. If you cannot disable Spanning-Tree, enable PortFast on the ports connected to the VRRP pair. PortFast causes a port to enter the Spanning-Tree forwarding state immediately, by passing the listening and learning states. The command to enable PortFast is set spantree portfast 3/1-2 enable, where 3/1-2 refers to slot 3, ports 1 and 2.