Cluster Debug Notes

There are tons of these, but I wanted to keep my own copy from Sergei so I can update.

https://forums.checkpoint.com/forums/message.jspa?messageID=41797

(1)
Enabling VMAC is not related to cluster failover
VMAC is intended to eliminate problems with ARP cache on L2/L3 networking devices

(2)
The issues with different values in ‘Required interfaces’ are solved in the following way :

A) make sure the configuration of interfaces is identical on all cluster members (i.e., pairs of interfaces are assigned the same subnet mask , the total number of interfaces is identical, etc)

NOTE: on GAIA you should double check the configuration – the outputs of ‘show interfaces’ in CLISH must match the outputs of ‘ifconfig’ in Expert mode

B) SmartDashboard – cluster object – ClusterXL – Topology – Edit
— get the interfaces with topology from each member
— configure VIP addresses
— OK
— File menu – Save

C) SmartDashboard – install policy onto cluster object

D) on each cluster member check that the policy was installed
# cpstat -f policy fw

E) reboot each member

F) output of ‘cphaprob -a if’ must be identical on all cluster members

If these outputs differ on cluster members, then it is necessary to collect the debug of cluster configuration from each member

Prepare
# fw ctl debug 0
# fw ctl debug -buf 32000
# fw ctl debug -m cluster + conf stat pnote if

Start
# fw ctl kdebug -T -f 1>> /var/log/$(uname -n)_cluster_debug.txt 2>> /var/log/$(uname -n)_cluster_debug.txt

Replicate
Install policy in SmartDashboard

Stop
press CTRL+C
# fw ctl debug 0

Send for analysis
— CPinfo file from each member
— /var/log/HOSTNAME_cluster_debug.txt from each member
— /var/log/messag* from each member
— CPinfo file from MGMT Server

=====================  Mike Notes ========================

fw ctl zdebug -m fw + drop  SK80520

fw ctl zdebug -m cluster + select  SK35211

==========================================================

Super detailed CP clustering info

http://dl3.checkpoint.com/paid/69/ATRG_ClusterXL_R6x_R7x.pdf?HashKey=1383163027_45c30c9c078e366c1b87929eae7fcc97&xtn=.pdf

 

===================================================

Enable/Disable Sync: fw ctl setsync start/stop

Print out sync stats: fw ctl pstat

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: