Magic Mac -Cluster down, Not Passing Traffic RSA Authentication failed.

If your VPN does not pass traffic, cluster down, or you cannot ssh to your gateway
check the following:

1. Magic Mac
2. The Checkpoint certificate, issued by the internal management certificate authority, that binds the connection between the cluster and the client - may have expired. This certificate should have a 5 year expiration date.  There should be a notification 60-days prior and leading up to cert expiration when policy is pushed sk101049  sk101049
3. Sync Cable
4. Clock Time of both Cluster Members

MY-FWA> cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         2
MAC forward magic: 1

Used MAC magic values:
0x01(001)  0x03(003)  0x64(100)

MY-FWA>

# cphaconf set_ccp broadcast

[Expert@FW]# tcpdump -i Sync -nnn -vvv -e port 8116


GAiA is Linux RH based, and it has system 2.6.18 kernel.  And Check Point ClusterXL is still the same as before.

If you are upgrading to GAiA or installing in fresh in a cluster configuration, you may need to take care of so-called "magic mac" settings.

To remind you briefly, "magic mac" is an artificial MAC address used in CCP, Cluster Control Protocol, responsible for probing, messaging and sync communications in ClusterXL. Once you have more than one cluster in the same network, you have to change magic mac settings starting from the second cluster and up.

Some details about the change is mentioned in SK66527.

GAiA or SPLAT, it makes no difference. If you are using ClusterXL and not VRRP, follow the mentioned solution.

For those who do not have the access, here is a quick HOWTO:

First, make sure your magic mac are default. To check that, run fw ctl get int fwha_mac_magic and fw ctl get int fwha_mac_forward_magiccommands, as in the example bellow:

# fw ctl get int fwha_mac_magic
fwha_mac_magic = 254
# fw ctl get int fwha_mac_forward_magic
fwha_mac_forward_magic = 253

The default settings are, as shown 254 and 253.

On the second cluster you will have to do the following: 

On each of the Cluster Modules
1. cd $FWDIR/boot/modules
2. create the fwkern.conf file by: # vi fwkern.conf
3. Add the required parameters and values as given below:
fwha_mac_magic=250
fwha_mac_forward_magic=251


Mind the numbers marked bold should be unique on each cluster you are making changes and non equal to default.
4. Save the fwkern.conf
5. Verify the fwker.conf is correctly configured by: # more fwkern.conf
6. Reboot the Module
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Module status by:
# cphaprob stat

 check multicast droping on switch

- check interface errors „netstat -in“ 

  > show for rx-errors (drop,overload,....)

- as next step set ccp to broadcast