The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
vSEC Cluster in Microsoft Azure failed over even though there was no connectivity between networks
Technical Level
Solution ID
sk116212
Technical Level
Product
vSEC for Azure
Version
R77.30
OS
Gaia
Platform / Model
Azure
Date Created
20-Mar-2017
Last Modified
26-Mar-2017
Symptoms
vSEC Cluster in Microsoft Azure failed over even though there was no connectivity between networks.
Running the $FWDIR/scripts/azure_ha_test.py script (per sk110194) on cluster members showed:
All tests were successful!
Debug of Azure HA daemon (per sk110194) showed in the $FWDIR/log/azure_had.elg file that the API calls fails:
{"error":{"code":"AuthorizationFailed","message":"The client '<XXX>' with object id '<XXX>' does not have authorization to perform action '<YYY>' over scope '/subscriptions/...'."}}
Examples:
{"error":{"code":"AuthorizationFailed","message":"The client 'f7...f9' with object id 'f7...f9' does not have authorization to perform action 'microsoft.compute/virtualmachines/read' over scope '/subscriptions/b4...10/resourceGroups/MY-CLUSTER/providers/Microsoft.Compute/virtualMachines/MyClusterMember1'."}}
{"error":{"code":"AuthorizationFailed","message":"The client '96...c2' with object id '96...c2' does not have authorization to perform action 'Microsoft.Network/routeTables/read' over scope '/subscriptions/ca...da/resourceGroups/MY-CLUSTER/providers/Microsoft.Network/routeTables/From_Apim_Route'."}}
Cause
The Microsoft Azure cluster API calls fail due to a lack of a proper user or a role configured for the specific object.