Heya Cesar,
I think I've seen your problem before... It happens when your firewalls
have a certain number of interfaces but you aren't using all of them in
your cluster configuration. However, Check Point firewalls in cluster,
unless told otherwise, still believe that those interfaces are part of
the cluster. Let's take for example your firewalls actually have 4
interfaces (which is how it appears by the error message), but you have
only configured 3 of those interfaces on each of your firewalls to be
"clustered interfaces". Hence, you have a 4th interface which I presume
is disconnected and just sitting there. This results in the Check Point
firewalls thinking that their 4th interface is down, and the error
messages look similar to what appears in your logs.
However, there is an easy fix. >:) On each of your firewalls, modify the
file:
/$FWDIR/conf/discntd.if
This file allows you to add the interfaces which ClusterXL shouldn't
check for as active. You enter them line by line. So, in your situation,
you'd enter something like:
eth3 or
qfe3
Or whatever the interface is.
After modifying the file, you'll have to restart the CP services. This
should make your cluster "ignore" that interface as part of the cluster.
Hope this helps.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
-----Original Message-----
From: Cesar Farro Flores [mailto:cesar.farro@t-empresas.com.pe]
Sent: Saturday, June 11, 2005 8:21 AM
To: firewalls@securityfocus.com
Subject: Cpinfo of Cluster XL New Mode
Hi List,
I have installed two modules of firewall NGR55+HF13 over Solaris 9 and
my SmartCenter is running over SecurePlatform NG R55+HF13, The status of
the Cluster is : (Active- OK /Stanbye-OK) and we have tested the high
availibility.This works very well.The stateful failover is very good.
But, there is a problem...(I dont know if it is a real problem), in our
SmartCenter- SmartView Log shows the following messages :
########################################################################
###############
cluster_info :(ClusterXL) member 2 (172.20.0.2) is up cluster_info
:(ClusterXL) member 2 (172.20.0.2) is stanby cluster_info :(ClusterXL)
interface bge0 of member 2 (172.20.0.2) is up cluster_info :(ClusterXL)
member 2 (172.20.0.2) is down (Interface Active Check on member 2
(172.20.0.2) detecteda a problem ( 4 interfaces required,only 3 up).
cluster_info : (ClusterXL) interface bge0 of member 2 (172.20.0.2) is
down (receive up,transmit down) cluster_info : (CLusterXL) member 2
(172.20.0.2) is up (Interface Active Check on member 2 (172.20.0.2)
status OK.).
cluster_info : (ClusterXL) member 2 (172.20.0.2) is up cluster_info :
(ClusterXL) member 2 (172.20.0.2) is standby cluster_info :(ClusterXL)
interface bge0 of member 2 (172.20.0.2) is up cluster_info :(ClusterXL)
member 2 (172.20.0.2) is down
########################################################################
###############
We have performed the following actions :
1.- set_ccp traffic Multicast to Broadcast in each module of firewall
(Done)
when we execure this command it shows us randomize messages.
2.- Disable IGMP in the Switch 6500 (Done)
3.- Disable( Spanning Tree in The Switch 6500 (Done)
But, The messages are still showing.
I will appreciate your help.
Cesar Farro.
