Viewing Cluster State

Description

This command monitors the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. status (after you set up the cluster).

Syntax

Shell	Command
Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).	`set virtual-system <VSID>` `show cluster state`
Expert mode	`cphaprob [-vs <VSID>] state`

Example

Member1> show cluster state
 
Cluster Mode:   High Availability (Active Up) with IGMP Membership
 
ID         Unique Address  Assigned Load   State          Name
 
1 (local)  11.22.33.245    100%            ACTIVE(!)      Member1
2          11.22.33.246    0%              DOWN           Member2
 
 
Active PNOTEs: COREXL
 
Last member state change event:
   Event Code:                 CLUS-116505
   State change:               INIT -> ACTIVE(!)
   Reason for state change:    All other machines are dead (timeout), FULLSYNC PNOTE
   Event time:                 Sun Sep  8 15:28:39 2019
v Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Sun Sep  8 15:28:21 2019 (reboot)
 
Member1>

Description of the "cphaprob state" command output fields:

Table: Description of the output fields
Field	Description
Cluster Mode	Can be one of these: Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. (Multicast). Load Sharing (Unicast). High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. (Primary Up ClusterXL in High Availability mode that was configured as Switch to higher priority Cluster Member in the cluster object in SmartConsole: (1) Each Cluster Member is given a priority (SmartConsole > cluster object > 'Cluster Members' pane). Cluster Member with the highest priority appears at the top of the table, and Cluster Member with the lowest priority appears at the bottom of the table. (2) The Cluster Member with the highest priority will assume the Active state. (3) If the current Active Cluster Member with the highest priority (for example, Member_A), fails for some reason, or is rebooted, then failover occurs between Cluster Members. The Cluster Member with the next highest priority will be promoted to be Active (for example, Member_B). (4) When the Cluster Member with the highest priority (Member_A) recovers from a failure, or boots, then additional failover occurs between Cluster Members. The Cluster Member with the highest priority (Member_A) will be promoted to Active state (and Member_B will return to Standby state).). High Availability (Active Up ClusterXL in High Availability mode that was configured as Maintain current active Cluster Member in the cluster object in SmartConsole: (1) If the current Active member fails for some reason, or is rebooted (for example, Member_A), then failover occurs between Cluster Members - another Standby member will be promoted to be Active (for example, Member_B). (2) When former Active member (Member_A) recovers from a failure, or boots, the former Standby member (Member_B) will remain to be in Active state (and Member_A will assume the Standby state).). Virtual System Load Sharing For third-party clustering products: Service, refer to Clustering Definitions and Terms, for more information.
ID	In the High Availability mode - indicates the Cluster Member Security Gateway that is part of a cluster. priority, as configured in the cluster object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. In Load Sharing mode - indicates the Cluster Member ID, as configured in the cluster object in SmartConsole.
Unique Address	Usually, shows the IP addresses of the Sync interfaces. In some cases, can show IP addresses of other cluster interfaces.
Assigned Load	In the ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. High Availability mode - shows the Active Cluster Member with 100% load, and all other Standby Cluster Members with 0% load. In ClusterXL Load Sharing modes (Unicast and Multicast) - shows all Active Cluster Members with 100% load.
State	In the ClusterXL High Availability mode, only one Cluster Member in a fully-functioning cluster must be ACTIVE, and the other Cluster Members must be in the STANDBY state. In the ClusterXL Load Sharing modes (Unicast and Multicast), all Cluster Members in a fully-functioning cluster must be ACTIVE. In 3rd-party clustering configuration, all Cluster Members in a fully-functioning cluster must be ACTIVE. This is because this command only reports the status of the Full Synchronization process. See the summary table below.
Name	Shows the names of Cluster Members' objects as configured in SmartConsole.
Active PNOTEs	Shows the Critical Devices that report theirs states as "`problem`" (see Viewing Critical Devices).
Last member state change event	Shows information about the last time this Cluster Member changed its cluster state.
Event Code	Shows an event code. For information, see sk125152.
State change	Shows the previous cluster state and the new cluster state of this Cluster Member.
Reason for state change	Shows the reason why this Cluster Member changed its cluster state.
Event time	Shows the date and the time when this Cluster Member changed its cluster state.
Last cluster failover event	Shows information about the last time a cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. occurred.
Transition to new ACTIVE	Shows which Cluster Member became the new Active.
Reason	Shows the reason for the last cluster failover.
Event time	Shows the date and the time of the last cluster failover.
Cluster failover count	Shows information about the cluster failovers.
Failover counter	Shows the number of cluster failovers since the boot. Notes: This value survives reboot. This counter is synchronized between Cluster Members.
Time of counter reset	Shows the date and the time of the last counter reset, and the reset initiator.

When you examine the state of the Cluster Member, consider whether it forwards packets, and whether it has a problem that prevents it from forwarding Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". packets. Each state reflects the result of a test on critical devices. This table shows the possible cluster states, and whether or not they represent a problem.

Table: Description of the cluster states
Cluster State	Description	Forwarding packets?	Is this state a problem?
ACTIVE	Everything is OK.	Yes	No
ACTIVE(!) ACTIVE(!F) ACTIVE(!P) ACTIVE(!FP)	A problem was detected, but the Cluster Member still forwards packets, because it is the only member in the cluster, or because there are no other Active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. members in the cluster. In any other situation, the state of the member is Down. `ACTIVE(!)` - See above. `ACTIVE(!F)` - See above. Cluster Member is in the freeze state. `ACTIVE(!P)` - See above. This is the Pivot A Cluster Member in the Unicast Load Sharing cluster that receives all packets. Cluster Virtual IP addresses are associated with Physical MAC Addresses of this Cluster Member. This Pivot Cluster Member distributes the traffic between other Non-Pivot Cluster Members. Cluster Member in Load Sharing Unicast mode. `ACTIVE(!FP)` - See above. This is the Pivot Cluster Member in Load Sharing Unicast mode and it is in the freeze state.	Yes	Yes
DOWN	One of the Critical Devices reports its state as "`problem`" (see Viewing Critical Devices).	No	Yes
LOST	The peer Cluster Member lost connectivity to this local Cluster Member (for example, while the peer Cluster Member is rebooted).	No	Yes
READY	State Ready means that the Cluster Member recognizes itself as a part of the cluster and is literally ready State of a Cluster Member during after initialization and before promotion to the next required state - Active / Standby / VRRP Master / VRRP Backup (depending on Cluster Mode). A Cluster Member in this state does not process any traffic passing through cluster. A member can be stuck in this state due to several reasons - see sk42096. to go into action, but, by design, something prevents it from taking action. Possible reasons that the Cluster Member is not yet Active include: Not all required software components were loaded and initialized yet and/or not all configuration steps finished successfully yet. Before a Cluster Member becomes Active, it sends a message to the rest of the Cluster Members, to check if it can become Active. In High Availability mode it checks if there is already an Active member and in Load Sharing Unicast mode it checks if there is a Pivot member already. The member remains in the Ready state until it receives the response from the rest of the Cluster Members and decides which, which state to choose next (Active, Standby, Pivot, or non-Pivot). Software installed on this Cluster Member has a higher version than all the other Cluster Members. For example, when a cluster is upgraded from one version of Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to another, and the Cluster Members have different versions of Check Point Security Gateway, the Cluster Members with the new version have the Ready state, and the Cluster Members with the previous version have the Active/Active Attention state. This applies only when the Multi-Version Cluster The Multi-Version Cluster mechanism lets you synchronize connections between cluster members that run different versions. This lets you upgrade to a newer version without a loss in connectivity and lets you test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. Acronym: MVC. Mechanism is disabled (see Viewing the State of the Multi-Version Cluster Mechanism). See sk42096 for a solution.	No	No
STANDBY	Applies only to a High Availability mode. Means that the Cluster Member waits for an Active Cluster Member to fail in order to start packet forwarding.	No	No
BACKUP	Applies only to a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster in Virtual System Load Sharing mode with three or more Cluster Members configured. State of a Virtual System on a third (and so on) VSX Cluster Member.	No	No
INIT	The Cluster Member is in the phase after the boot and until the Full Sync Process of full synchronization of applicable kernel tables by a Cluster Member from the working Cluster Member(s) when it tries to join the existing cluster. This process is meant to fetch a ‎"snapshot" of the applicable kernel tables of already Active Cluster Member(s). Full Sync is performed during the initialization of Check Point software (during boot process, the first time the Cluster Member runs policy installation, during 'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, this Cluster Member remains in the Down state, because until it is fully synchronized with other Cluster Members, it cannot function as a Cluster Member. Meanwhile, the Delta Sync packets continue to arrive, and the Cluster Member that tries to join the existing cluster, stores them in the kernel memory until the Full Sync completes. The whole Full Sync process is performed by fwd daemons on TCP port 256 over the Sync network (if it fails over the Sync network, it tries the other cluster interfaces). The information is sent by fwd daemons in chunks, while making sure they confirm getting the information before sending the next chunk. Also see "Delta Sync". completes.	No	No