Cluster member with CoreXL enabled is in "Ready" state

book

Article ID: 168090

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Cluster member with CoreXL enabled is in "Ready" stateThe output of the cphaprob state command shows a state of "Ready" for a cluster member in a cluster environment where CoreXL is enabled on each member. This will cause a Check Point state synchronization problem.

Example

fw_1 (group10): ~$ cphaprob stat

Cluster Mode: Sync only (OPSEC)

Number Unique Address Firewall State (*)

3 (local) 2.2.2.1 Ready
4 2.2.2.2 Active

fw_2 (group10): ~$ cphaprob stat

Cluster Mode: Sync only (OPSEC)

Number Unique Address Firewall State (*)

3 2.2.2.1 Active
4 (local) 2.2.2.2 Ready

Cause

Problem: If a cluster member with CoreXL enabled reports a "Ready" state in response to the cphaprob state command, it may be because the member has been configured with a different number of CoreXL instances than other cluster members.

Resolution

Make sure all cluster members are configured with the same number of cores.

To Set the Number of CoreXL Instances

From the XOS CLI, run the following command. The example shows the appropriate responses to the interview questions.

CBS# application cpsg vap-group <vap-group name> config

Check Point Software Technologies LTD., Check Point Security Gateway R70 release 2.0.0.0-14

Check Point Security Gateway Configuration Menu

1. Licenses
2. SNMP Extension
3. Secure Internal Communication
4. High Availability/State Synchronization
5. Check Point Optional Packages
6. Check Point SecureXL
7. Check Point CoreXL
8. Exit

Enter choice: 7
===============================================================================

Answer the questions below to configure this application. Type '?' for help.

Check Point CoreXL is enabled.
Do you want CoreXL to remain enabled? [y]:

How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]: ?

When CoreXL is enabled, the firewall kernel is replicated multiple times. Each replicated instance of the firewall kernel runs on one processing core.

All cluster members must have the same number of firewall instances configured when both CoreXL and HA are enabled.

The number of firewall instances should not be greater than the smallest number of cores among the APMs in the vap-group. If you enter a number greater than the number of cores on the APM, Check Point Security Gateway won't be started on the VAP.

NOTE: Crossbeam recommends only using the 8-core APM with 6 firewall instances for this release. Please see the Installation and Configuration Guide for more information.

Recommended CoreXL configuration on APM:
2 core APM - 2 firewall instances
4 core APM - 3 firewall instances
8 core APM - 6 firewall instances

How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]:2

Workaround

N/A