Cluster member with CoreXL enabled is in "Ready" state
Article ID: 168090
Updated On:
Products
XOS
Issue/Introduction
Cluster member with CoreXL enabled is in "Ready" stateThe output of the cphaprob state command shows a state of "Ready" for a cluster member in a cluster environment where CoreXL is enabled on each member. This will cause a Check Point state synchronization problem.
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
3 (local) 2.2.2.1 Ready
4 2.2.2.2 Active
fw_2 (group10): ~$ cphaprob stat
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
3 2.2.2.1 Active
4 (local) 2.2.2.2 Ready
Example
fw_1 (group10): ~$ cphaprob statCluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
3 (local) 2.2.2.1 Ready
4 2.2.2.2 Active
fw_2 (group10): ~$ cphaprob stat
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
3 2.2.2.1 Active
4 (local) 2.2.2.2 Ready
Cause
Problem: If a cluster member with CoreXL enabled reports a "Ready" state in response to the cphaprob state command, it may be because the member has been configured with a different number of CoreXL instances than other cluster members.
Resolution
Make sure all cluster members are configured with the same number of cores.
CBS# application cpsg vap-group <vap-group name> config
Check Point Software Technologies LTD., Check Point Security Gateway R70 release 2.0.0.0-14
Check Point Security Gateway Configuration Menu
1. Licenses
2. SNMP Extension
3. Secure Internal Communication
4. High Availability/State Synchronization
5. Check Point Optional Packages
6. Check Point SecureXL
7. Check Point CoreXL
8. Exit
Enter choice: 7
===============================================================================
Answer the questions below to configure this application. Type '?' for help.
Check Point CoreXL is enabled.
Do you want CoreXL to remain enabled? [y]:
How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]: ?
When CoreXL is enabled, the firewall kernel is replicated multiple times. Each replicated instance of the firewall kernel runs on one processing core.
All cluster members must have the same number of firewall instances configured when both CoreXL and HA are enabled.
The number of firewall instances should not be greater than the smallest number of cores among the APMs in the vap-group. If you enter a number greater than the number of cores on the APM, Check Point Security Gateway won't be started on the VAP.
NOTE: Crossbeam recommends only using the 8-core APM with 6 firewall instances for this release. Please see the Installation and Configuration Guide for more information.
Recommended CoreXL configuration on APM:
2 core APM - 2 firewall instances
4 core APM - 3 firewall instances
8 core APM - 6 firewall instances
How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]:2
To Set the Number of CoreXL Instances
From the XOS CLI, run the following command. The example shows the appropriate responses to the interview questions.CBS# application cpsg vap-group <vap-group name> config
Check Point Software Technologies LTD., Check Point Security Gateway R70 release 2.0.0.0-14
Check Point Security Gateway Configuration Menu
1. Licenses
2. SNMP Extension
3. Secure Internal Communication
4. High Availability/State Synchronization
5. Check Point Optional Packages
6. Check Point SecureXL
7. Check Point CoreXL
8. Exit
Enter choice: 7
===============================================================================
Answer the questions below to configure this application. Type '?' for help.
Check Point CoreXL is enabled.
Do you want CoreXL to remain enabled? [y]:
How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]: ?
When CoreXL is enabled, the firewall kernel is replicated multiple times. Each replicated instance of the firewall kernel runs on one processing core.
All cluster members must have the same number of firewall instances configured when both CoreXL and HA are enabled.
The number of firewall instances should not be greater than the smallest number of cores among the APMs in the vap-group. If you enter a number greater than the number of cores on the APM, Check Point Security Gateway won't be started on the VAP.
NOTE: Crossbeam recommends only using the 8-core APM with 6 firewall instances for this release. Please see the Installation and Configuration Guide for more information.
Recommended CoreXL configuration on APM:
2 core APM - 2 firewall instances
4 core APM - 3 firewall instances
8 core APM - 6 firewall instances
How many firewall instances would you like to enable (2 to 8)?
(Enter '?' for important information) [3]:2
Workaround
N/AFeedback
Yes
No
Powered by
