About author
Valeri Loukine
CCMA 0019 Ex-Check Point Senior Security Consultant - Dimension Data Email: varera@gmail.com Blog: http://checkpoint-masterarchitect.blogspot.com/
2
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Agenda
Check Point Solutions: aka ClusterXL (HA ,Load Sharing) Advanced features and problematic scenarios 3rd party clusters Some Troubleshooting
CCP
Check Control protocol runs on proto UDP 8116. CCP is running on all interfaces (in Cluster XL)
Note: When VLAN are used CCP will run only on the lowest VLAN ID
CCP is in charge of
Health status reports Cluster member probing State change commands Querying for cluster membership State table synchronization
CCP modes
Multicast or Broadcast To change: cphaconf set_ccp STATE $FWDIR/boot/ha_boot.conf The Mac address used for the multicast is
determine with a special algorithm.
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
State Sync
Used to exchange kernel table information
between cluster members Full Sync and Delta Sync
Full Sync
Happens upon boot fwd communication on port 256 Does not have to be on the Sync interface
Delta Sync
Done over CCP (UDP 8116) Updates changes in kernel tables
incrementally
How it works
When cluster members starts, it requests
and existing connections information
How it works
Upon FS completion cluster member
changes its state to Standby
From now on, Delta Sync occurs Only changes are synced Some may be not synced, congurable
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Tuning Sync
Tuning Sync
Sync summary
Global - supports all kernel table operations
does not require Transparent - its existence direct awareness of
Sync summary
User mode applications information is not synced!
(Security Servers, etc)
Sync packets received: total : 134755, were queued : 221, dropped by net : 101
retrans reqs : 29, received 26 acks retrans reqs for illegal seq : 0 dropped updates as a result of sync overload: 0 Callback statistics: handled 11 cb, average delay : 1, delay : 1 max
Pnote
critical device AKA a Problem
Notication (pnote) dened as a Failure
If a critical device stops functioning, this is fwd , cphad are predened also checked: policy (lter) , sync and
interfaces
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Pnote
To check: cphaprob
list
cphaprob list
Built-in Devices: Device Name: Interface Active Check Current state: OK Registered Devices: Device Name: cphad Registration number: 2 Timeout: 2 sec Current state: OK Time since last report: 0 sec Device Name: fwd Registration number: 3 Timeout: 2 sec Current state: OK Time since last report: 0.8 sec
OS must be the same. FW-1 version must be the same. Installed products must be the same.
NOTE : Check Point recommends that customers use the same hardware.
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
ClusterXL basics
ClusterXL
CP clustering product (CCP), UDP 8116 Same for both HA and LS solutions Supports Solaris, SPLAT and Linux, not IPSO 4 modes of operation HA Legacy and New LS Multicast and unicast!
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
HA new mode
HA new mode
Active - Standby roles CCP runs on multicast by default Active member answer whois ARP for VIP
with its physical MAC address
HA new mode
Sync is done If Active fails, Standby takes over and
becomes Active
HA new mode
#cphaprob stat Cluster Mode: Number 1 (local) 2 New High Availability (Active Up) Assigned Load 100% 0% State active standby
HA legacy mode
HA legacy mode
Linux only Both members are congured to have same
IP addresses and SAME MAC addresses on clustered interfaces
LS multicast
LS multicast mode
Both members process trafc whois is answered with virtual multicast
MAC shared among members
LS multicast mode
#cphaprob stat Cluster Mode: Number 1 2 3 (local) Load Sharing (Multicast) Assigned Load 33% 33% 33% State active active active 192.10.0.1 192.10.0.2 192.10.0.3
Unique Address
LS pivot (unicast)
LS pivot mode
Pivot always answers whois with its physical
MAC
LS pivot mode
#cphaprob stat
Load Sharing (Unicast) Assigned Load 30% 70% active active State (pivot)
Advanced parameters
Advanced parameters
Asymmetric Routing Session from standby (Forwarding) Block new Conns Different subnet Magic MAC Disconnected interfaces
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Asymmetric Routing
C2S packet goes through one cluster member S2C packet goes through another
Asymmetric Routing
Whats the problem?
Race conditions (syn/syn-ack/ack) Features without sync (Security Servers) NATed and encrypted connections Data connections
Asymmetric Routing
Resolution:
Flush and Ack mechanism hold a packet that made a change in the kernel table until the change is synced successfully Sticky Decision Function
Decision Function
SDF - when?
FTP - The data connections are passed
and Hide NAT through the same cluster member as the control connection
SDF - limitations
Some connection types are not recognized
by SDF- default DF will be used acceleration will be stopped
SDF does not work with SecureXL Does not work for VPN routing
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Different Subnet
When VIP is not on the same subnet as
physical member IP addresses required
Automatic ARP is not supported. local.arp May need some additional static routes
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Magic MAC
Used by CCP on Layer 2 Belongs to all members on all interfaces Forward MAC is used to forward packets
Magic MAC
fwha_mac_magic 0xfe fwha_mac_forward_magic 0xfd
Disconnected Interfaces
Interfaces that do not run CCP Sync Interface must NOT be
disconnected
rd
In 3
Disconnected Interfaces
$FWDIR/conf/discntd.if, reboot May dene in topology as private No need to list them in 3rd party
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
rd 3
party clusters
Were many vendors Now Crossbeam and IPSO, what else? ClusterXL - only Sync
Active
Everything is good Passing trafc
Active Attention
Something is wrong in the cluster I am passing trafc
Down
One of the critical devices is down Not passing trafc
Ready
Upgraded, old version member is Active Not passing trafc
Standby
Everything is good Not passing trafc
Initializing
Cluster member is booting up, ClusterXL product is already running VPN-1 Pro is not yet ready Full Sync is not completed
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Troubleshooting tools
CLI
cphaprob
list -a if state
conf Conguration related kdebug messages if - Interface tracking and validation stat - Cluster module state change select - Packet selection including DF ccp Cluster control packet handeling pnote - Pnote device
(c) Valeri Loukine 2011
Other tips
Snoop (still using UDP port 8116 trafc) fw monitor (forwarded packets may
cause confusion)
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011