2/20/2017 AddingorremovinganinterfaceinClusterXLHighAvailabilitytopologymightcausefailover

WWW.CHECKPOINT.COM WELCOME: CHRISTOPHER JEWELL| SIGN OUT

TRY OUR PRODUCTS QUOTING TOOLS ASSETS / INFO SUPPORT / SERVICES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

Adding or removing an interface in ClusterXL High Availability topology might cause fail-over

Rate This My Favorites Email Print

Solution ID sk57100
Product ClusterXL
Version All
OS SecurePlatform 2.6, Gaia, Crossbeam XOS
Platform / Model All
Date Created 08-Nov-2010
Last Modied 15-Nov-2016

Symptoms
Adding or removing an interface (either physical, or logical (e.g. VLAN)) in ClusterXL High Availability topology might cause fail-over.

Cause
Adding an interface (either physical, or logical)on a cluster member is done in Operating System. Check Point kernel always attaches itself to the interface. As a result,
Cluster Layer also detects a new interface, and by design, expect to receive and to send CCP packets through that interface. Since this new interface is not dened yet in
cluster Topology, CCP packets will not be sent/received through that interface. As a result, Cluster Layer declares that interface as failed, which in turn causes fail-over.

Removing an interface(either physical, or logical) on a cluster member cause the Cluster Layer to detect less interfaces than on the other member. By design, fail-over
occurs in such case.

Solution
Complete maintenance window is strongly recommended when an interface must be added/removed to/from cluster Topology.

If such complete maintenance window is not possible, then in order to avoid unnecessary fail-overs, the following action plan is suggested for High Availability cluster:

1. Stop the clustering on Standby member

2. Perform all operations on Standby member
3. Perform all operations on Active member
4. Perform all operations in SmartDashboard
5. Start the clustering on Standby member

Note for Load Sharing mode: Schedule a maintenance window and follow the above action plan (treat one of the members as "Standby").

Detailed action plan for adding an interface into cluster topology

Show / Hide instructions

1. Perform these steps on the Standby member:

A. Either stop the Clustering by running the 'cphastop' command, or bring this member administratively down by running the 'clusterXL_admindown'
command.

B. Remove the interface name from the $FWDIR/conf/discntd.if conguration le.

C. Plug in the interface cable.

D. Assign an IP address to the interface:

Gaia OS:
either in Gaia Clish, or in Gaia Portal

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57100 1/4
2/20/2017 AddingorremovinganinterfaceinClusterXLHighAvailabilitytopologymightcausefailover
SecurePlatform OS:
either in 'sysconfig' menu, or in SecurePlatform WebUI

E. Bring the interface up:

Gaia OS:
either in Gaia Clish by running the 'setinterfaceIF_NAMEstateon' command, or in Gaia Portal

SecurePlatform OS:
either in Expert mode by running the 'ifconfigIF_NAMEup' command, or in SecurePlatform WebUI

F. Check the connectivity through the new interface.

Note: If there are still unused interfaces on cluster members, they must be added to the $FWDIR/conf/discntd.if conguration le - refer to sk30060 and to
ClusterXL Admin Guide (does not apply to Gaia OS R75.47 and R77.20 (and above)).

2. Perform these steps on the Active member:

A. Remove the interface name from the $FWDIR/conf/discntd.if conguration le.

B. Plug in the interface cable.

C. Assign an IP address to the interface:

Gaia OS:
either in Gaia Clish, or in Gaia Portal

SecurePlatform OS:
either in 'sysconfig' menu, or in SecurePlatform WebUI

D. Bring the interface up:

Gaia OS:
either in Gaia Clish by running the 'setinterfaceIF_NAMEstateon' command, or in Gaia Portal

SecurePlatform OS:
either in Expert mode by running the 'ifconfigIF_NAMEup' command, or in SecurePlatform WebUI

E. Check the connectivity through the new interface.

Note: If there are still unused interfaces on cluster members, they must be added to the $FWDIR/conf/discntd.if conguration le - refer to sk30060 and to
ClusterXL Admin Guide (does not apply to Gaia OS R75.47 and R77.20 (and above)).

3. Perform these steps in SmartDashboard:

A. Open Cluster object properties.

B. Go to 'Topology' pane - click on 'Edit...'.

C. In the column of each member, click on 'GetTopology'.

D. Congure the Network Objective for the new interface.

E. Congure the Virtual IP address the new interface, if needed.

F. Click on 'OK' to apply the changes.

G. Save the changes: go to 'File' menu - click on 'Save'.

H. Install policy onto the cluster object.

4. Perform these steps on Standby member:

A. Connect to the command line (over SSH, or console).

B. Log in to the Expert mode.

C. Either start the Clustering by running the 'cphastart' command, or bring this member administratively up by running the 'clusterXL_adminup' command.

5. Verify that the new interface was added to cluster topology - run this command on each cluster member:

[Expert@HostName]#cphaprobaif

If the new interface was not added yet, then reboot each cluster member.

Detailed action plan for removing an interface from cluster topology

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57100 2/4
2/20/2017 AddingorremovinganinterfaceinClusterXLHighAvailabilitytopologymightcausefailover
Show / Hide instructions

1. Perform these steps in SmartDashboard (before removing an interface from Cluster object topology, set it to 'NonMonitoredPrivate'):

A. Open the cluster object properties.

B. Go to 'Topology' pane.

C. Click on 'Edit...' button.

D. Remove the Virtual IP address from the pair of the interfaces that should be removed from Cluster object topology.

E. In the 'NetworkObjective' column, select 'NonMonitoredPrivate' (for the interfaces that should be removed from Cluster object topology).

F. Click on 'OK' to apply the changes.

G. Save the changes: go to 'File' menu - click on 'Save'.

H. Install policy on this cluster object.

2. On each cluster member:

A. Connect to the command line (over SSH, or console).

B. Log in to the Expert mode.

C. Run the cphaprobaif command.

D. Check the 'Requirednumberofinterfaces' - the total number has to decrease by the number of interfaces that were congured as 'NonMonitored
Private'.

Example:

If there were 11 interfaces

And 1 interface was congured as 'NonMonitoredPrivate'
Then now 'Requirednumberofinterfaces' should show 10 interfaces.

Note: If the 'Requirednumberofinterfaces' did not decrease, then reboot the problematic cluster member.

3. Perform these steps on the Standby member:

A. Either stop the Clustering by running the 'cphastop' command, or bring this member administratively down by running the 'clusterXL_admindown'
command.

B. Add the interface name to the $FWDIR/conf/discntd.if conguration le (does not apply to Gaia OS R75.47 and R77.20 (and above)).

C. Disconnect the interface cable.

D. Bring the interface down:

Gaia OS:
either in Gaia Clish by running the 'setinterfaceIF_NAMEstateoff' command, or in Gaia Portal

SecurePlatform OS:
either in Expert mode by running the 'ifconfigIF_NAMEdown' command, or in SecurePlatform WebUI

E. Remove an IP address from the interface:

Gaia OS:
either in Gaia Clish, or in Gaia Portal

SecurePlatform OS:
either in 'sysconfig' menu, or in SecurePlatform WebUI

Note: If there are still unused interfaces on cluster members, they must be added to the $FWDIR/conf/discntd.if conguration le - refer to sk30060 and to
ClusterXL Admin Guide (does not apply to Gaia OS R75.47 and R77.20 (and above)).

4. Perform these steps on the Active member:

A. Add the interface name to the $FWDIR/conf/discntd.if conguration le (does not apply to Gaia OS R75.47 and R77.20 (and above)).

B. Disconnect the interface cable.

C. Bring the interface down:

Gaia OS:
either in Gaia Clish by running the 'setinterfaceIF_NAMEstateoff' command, or in Gaia Portal

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57100 3/4
2/20/2017 AddingorremovinganinterfaceinClusterXLHighAvailabilitytopologymightcausefailover
SecurePlatform OS:
either in Expert mode by running the 'ifconfigIF_NAMEdown' command, or in SecurePlatform WebUI

D. Remove an IP address from the interface:

Gaia OS:
either in Gaia Clish, or in Gaia Portal

SecurePlatform OS:
either in 'sysconfig' menu, or in SecurePlatform WebUI

Note: If there are still unused interfaces on cluster members, they must be added to the $FWDIR/conf/discntd.if conguration le - refer to sk30060 and to
ClusterXL Admin Guide (does not apply to Gaia OS R75.47 and R77.20 (and above)).

5. Perform these steps in SmartDashboard:

A. Open Cluster object properties.

B. Go to 'Topology' pane - click on 'Edit...'.

C. Remove the Virtual IP Address from the interface.

D. Remove the interface from the Topology table from each member.

E. Click on 'OK' to apply the changes.

F. Save the changes: go to 'File' menu - click on 'Save'.

G. Install policy onto the cluster object.

6. Perform these steps on Standby member:

A. Connect to the command line (over SSH, or console).

B. Log in to the Expert mode.

C. Either start the Clustering by running the 'cphastart' command, or bring this member administratively up by running the 'clusterXL_adminup' command.

7. Verify that the new interface was delete from cluster topology - run this command on each cluster member:

[Expert@HostName]#cphaprobaif

If the new interface was not deleted yet, then reboot each cluster member.

Related documentation:
Gaia Administration Guide (R75.40, R75.40VS, R76, R77).

SecurePlatform Administration Guide (R65, R70, R71, R75, R75.40, R75.40VS, R76, R77).

ClusterXL Administration Guide (R55, R60, R61, R62, R65, R70, R70.1, R71, R75, R75.20, R75.40, R75.40VS, R76, R77).

Command Line Interface Reference Guide (R55, R60, R61, R62, R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77).

sk30060 - SmartView Tracker repeatedly shows messages "cluster_info: (ClusterXL) interface is down / up".

sk114212 - Synchronization in cluster is broken after moving the "1st Sync" Network Objective to an interface that was dened as "Non-Monitored Private".

sk44268 - Number of 'Required interfaces' in the output of 'cphaprob -a if' command does not change after removing an interface from ClusterXL Topology.

sk93306 - ATRG: ClusterXL R6x and R7x.

Give us Feedback Please rate this document [1=Worst,5=Best]

Enteryourcommenthere
Comment Submit

1994-2017 Check Point Software Technologies Ltd. All rights reserved.
Copyright | Privacy Policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57100 4/4