Troubleshooting Issues with Bonded Interfaces

Troubleshooting Workflow

1. View the logs from this cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in SmartConsole > Logs & Monitor > Logs.

2. On the Cluster Members, examine the status of the bond interface in one of these ways:

   • In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).:

     show cluster bond name <Name of Bond>

   • In the Expert mode:

     cphaprob show_bond <Name of Bond>

   See Viewing Bond Interfaces.

3. If there is a problem, see if the physical link is down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster.:

   1. Look for a subordinate interface that reports the status of the link as "no".

   2. Examine the cable connections and other hardware.

   3. Examine the port configuration on the switch, to which this subordinate interface connects.

On a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member Security Gateway that is part of a cluster., reboot is needed after these actions on a bond interface:

1. Changing a bond mode.

2. Adding a subordinate interface into an existing bond.

   Note - Removing a subordinate interface from an existing bond, does not require a reboot.

Connectivity Delays on Switches

Connectivity delays may occur in switches during some internal bond failovers. With the various features that are now included on some switches, it can take close to a minute for a switch to begin servicing a newly connected interface.

These are suggestions for reducing the startup time after link failure A hardware or software problem that causes a Security Gateway to be unable to serve as a Cluster Member (for example, one of cluster interface has failed, or one of the monitored daemon has crashed). Cluster Member that suffered from a failure is declared as failed, and its state is changed to Down (a physical interface is considered Down only if all configured VLANs on that physical interface are Down)..

1. Disable auto-negotiation on the relevant interface.

2. On Cisco switches, enable the PortFast feature (see the applicable Cisco documentation).

   Warning - The PortFast feature should never be used on ports that connect to switches or hubs. It is important that the Spanning Tree complete the initialization procedure in these situations. Otherwise, these connections may cause physical loops where packets are continuously forwarded (or even multiply) in such a way that can cause the network to fail.

3. Disable STP on the switch ports (see the applicable switch vendor documentation).