CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: Interface Bonding on UTM Appliances not supported!

  1. #1
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Interface Bonding on UTM Appliances not supported!

    Hello experts,

    I was been doing some work for a big customer and we ran into the following problem: Customer had two HP ProCurve switches configures as a VRRP cluster. They have also a CP ClusterXL with two UTM-Appliances (1050). One member is being connected to one switch and the other member tothe other switch.

    Whenever a switch failover occurs, we ended up with a gateway failover. Customer was not so happy with that. So, they decided to have Interface Bonding configuration. What I noticed: Interface Bonding can be configured on the UTM appliance, but it does not work! After switch fall back, you do not get a bond fallback. Whenever a switch is down, the appropriate bond interface is going down, even after the interfaces within a bond fails over.

    In the manuals Check Point states that the Media Independend Interface Standard is assumed when configuring Interface Bonding. But the interfaces of the Appliance is apparently not supporting this functionality (type "mii-tool" into the CLI). So, I conclude that UTM appliances are not supporting bonding. In my project, it is likely to throw the appliances away and to substitute them with an IP Appliances or Open Servers. So, be careful when purchasing the appropriate gateway hardware! My experiences with Check Point appliances are quite bad.

    Regards, Yasushi

  2. #2
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    15

    Default Re: Interface Bonding on UTM Appliances not supported!

    Hu Yasushi.

    What VPN-1 version are you testing this with?

  3. #3
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    12

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by Yasushi Kono View Post
    Whenever a switch failover occurs, we ended up with a gateway failover. Customer was not so happy with that. So, they decided to have Interface Bonding configuration.
    Interface bonding will not fix the issue you describe. If you are bonding the interfaces and plugging each one into a different switch, you're going to see some weird issues. The port must be bound on both the host side and the switches.

  4. #4
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: Interface Bonding on UTM Appliances not supported!

    Hi Robert,

    the customer is using NGX R65. Due to the documentation, bonding is a new feature of R65.

    Regards,
    Yasushi

  5. #5
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by belvdr View Post
    Interface bonding will not fix the issue you describe. If you are bonding the interfaces and plugging each one into a different switch, you're going to see some weird issues. The port must be bound on both the host side and the switches.
    You are right, but in the VRRP configuration of the switches, I was told that the ports were "interlinked" to each other. So, upon a port failover, the active gateway should remain active and only the other interface within the bond should switch over.

    Kind regards,
    Yasushi

  6. #6
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    15

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by Yasushi Kono View Post

    the customer is using NGX R65. Due to the documentation, bonding is a new feature of R65.
    I think you need R70.1 before this will work - you can upgrade a 1050 to R70.1, worth a try....

  7. #7
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    12

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by Yasushi Kono View Post
    You are right, but in the VRRP configuration of the switches, I was told that the ports were "interlinked" to each other. So, upon a port failover, the active gateway should remain active and only the other interface within the bond should switch over.

    Kind regards,
    Yasushi
    VRRP is a layer 3 configuration used to provide redundancy in routing. Link aggregation, or 802.3ad (now in the 802.1 stack), is a layer 2 configuration.

    As far as I know, HP doesn't provide link aggregation across physical chassis, at least their documentation doesn't seem to indicate that. Cisco's VSS1440 provides this type of capability, so that even though there are two physical chassis, they operate as one logically.

    I just want to throw that out there before you proceed with this. Instead of bonding in active/active, you may see if you can do an active/passive configuration with the NICs instead.

  8. #8
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Interface Bonding on UTM Appliances not supported!

    Agree with above about problems of bonding across switches. If you've got clustered switches, then you can do active/active bonding, but if the switches are not operating as a single logical switch, you can only do active/passive.

    (nb this is with Linux and Windows servers, haven't done it myself with a UTM box).

  9. #9
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Interface Bonding on UTM Appliances not supported!

    Same holds true with SPLAT.

  10. #10
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by chillyjim View Post
    Same holds true with SPLAT.
    Hi Jim and all the other contributors,

    I am referring to the CP documents. There you can read that MII compatible NICs are assumed when configuring bonding. We noticed that the NICs of the UTM Appliances were not MII compliant, so this could be the reason why bonding is not working as supposed to do.

    We also tested the active/passive configuration and it did not work. The administrators told me that even if a gateway fall back does not occur after a switch fall back, the connectivity should work anyway. I am not a ProCurve expert, so I have to believe what they are saying.


    Thanks again for your contribution.

    Kind regards,
    Yasushi

  11. #11
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by Yasushi Kono View Post

    We also tested the active/passive configuration and it did not work. The administrators told me that even if a gateway fall back does not occur after a switch fall back, the connectivity should work anyway. I am not a ProCurve expert, so I have to believe what they are saying.
    What I've seen with active/passive NIC teaming on other hardware is that it will switch over if there is a failure, but then will stay on the second NIC, until that one fails, or the box is rebooted. Connectivity is not affected, it just is slightly less efficient - you've now got one extra switch in the path.

  12. #12
    Join Date
    2009-04-14
    Location
    Ottawa, Ontario, Canada
    Posts
    319
    Rep Power
    11

    Default Re: Interface Bonding on UTM Appliances not supported!

    This works in IPSO, with the latest versions. Earlier versions had an issue with not sending out a grat arp. Of course the switches also have to support link aggregation across 2 physical switches, and not even all Cisco switches support this.

    Splat should work correctly, as long as the underlying switches do as well.

    -Pierre

  13. #13
    Join Date
    2011-11-20
    Posts
    31
    Rep Power
    0

    Default Re: Interface Bonding on UTM Appliances not supported!

    Quote Originally Posted by Yasushi Kono View Post
    There you can read that MII compatible NICs are assumed when configuring bonding. We noticed that the NICs of the UTM Appliances were not MII compliant, so this could be the reason why bonding is not working as supposed to do.
    Was this confirmed in the end... i.e. does 802.3ad based link bonding work on the UTM-1s 2070/3070 etc ?
    Last I checked the options in the various menus are there to configure it.... so what are the limitations in peoples operational experience?

    /Edit: Mentioned in the ClusterXL Admin Guide - http://downloads.checkpoint.com/dc/d...d.htm?ID=10641
    Last edited by AKKO_CP; 2012-09-08 at 08:56.

Similar Threads

  1. Power-1 Nic Bonding
    By YerMa in forum Check Point SecurePlatform (SPLAT)
    Replies: 6
    Last Post: 2010-07-26, 04:23
  2. bonding interface flapping
    By erniehong in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2010-01-15, 17:58
  3. Are PMC Ethernet interface cards supported on Nokia IP560 also spprtd on Chckpt IP695
    By towarn@towarn.org in forum Installing And Upgrading
    Replies: 3
    Last Post: 2009-08-03, 03:08
  4. Provider-1 NGx R65 and NIC bonding
    By cciesec2006 in forum Miscellaneous
    Replies: 6
    Last Post: 2009-07-24, 15:21
  5. NIC teaming (bonding) is supported on Provider-1 NGx R70?
    By cciesec2006 in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2009-05-25, 20:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •