Nokia IPSO cluster only support Checkpoint Load Sharing?

[longname]

2x Nokia IP530 work as cluster, IPSO3.6-FCS14
Checkpoint: FP3
In Nokia part, use muticast mode cluster configuration
In Checkpoint, use High Availability mode

Now we have problem with this configuration. VPN and OWA are very slowly. And If we shutdown one firewall, VPN and OWA are very fast.
One Nokia reseller give us a suggestion that he think for muticast mode IPSO cluster should choose checkpoint with Loading sharing not High Availability.
But with this configuration, we work fine for about 12 months. Anyone suggestion?

Thanks.

[northlandboy]

It might be working, but your Nokia reseller is correct - if you are running IP clustering on your Nokia boxes, your setting in SmartDashboard should be Load Sharing. Not sure exactly what it looks like on your version, but in R60, the cluster object should have ClusterXL unchecked in the General Pane, then under 3rd party configuration, it should be Load Sharing, Nokia IP Clustering.

High Availability is for VRRP.

I wonder if your slowness is due to problems synchronising connections between the nodes? If VPN and OWA are very slow, then things are not working fine, are they?

[longname]

Thanks for your reply.
Base on this configuration, we work fine for nearly one year. But don't know what reason, it has problem only with VPN and OWA. All inside connection (Our firewall like a big router ) are ok.

For Nokia configuration:
1. heartbeat line configure as primary cluster line. Heatbeat line connect through a small hub which only connect two nokia IP530.
2. We have a small network which connect two nokia and managment server. But for this network, not configure with cluster IP.

[northlandboy]

Just to clarify, do you have both your Check Point synchronisation network, and your primary Nokia synchronisation network using the same interfaces on your cluster, through a hub?

Having a separate network with just your management station on it, and no cluster IP, is not a problem (well, assuming your management server doesn't need to route beyond the firewalls).

If I was in your situation, here's some things I would do:

1/ Have a look at the output of cphaprob syncstat and fw ctl pstat. Look for retransmissions, missing updates, dropped by network, etc. If those numbers are looking high, then that won't be helping.

2/ Related to the above, replace that hub with a pair of switches. Configure two separate VLANs on the switch. Configure a secondary Nokia synchronisation network. Then configure Check Point to use the secondary Nokia sync network as its primary sync network, and the primary Nokia sync as its secondary - make sense? So each one has its own primary sync network, but will fail over to use the others network if required. That should deal with any network-related issues.

3/ Change your cluster config in SmartDashboard to be Load Sharing. Regardless of if things have worked OK, you've got a problem with OWA and VPNS, and this is a definite misconfiguration.

4/ While looking over the cluster, check all interfaces for errors - check the Ierrs and Oerrs columns in the output of netstat -in. If you've got any, resolve them.

4/ All of the above can be done in a day or so. No guarantees that it will resolve your specific issue, but you should get better performance out of it. You then need to start thinking about your future path though - I'm guessing you're running FP3, which is the last one supported by Check Point - i.e. soon it will be out of support. I would look to upgrade to a newer version of IPSO and Check Point. Primarily to get IPSO upgraded to take advantage of the improved clustering code. This will take a bit more effort though, and more testing (and maybe more $ too).

Out of interest, how busy is your firewall? i.e. typical CPU/memory/throughput/concurrent connections?

[longname]

Thank you for your reply.
For your question, my firewall 's work load is not so high. CPU usage normally below 25%, and Memory Usage normally about 92%