CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: What are the issues in active-active scenario?

  1. #1
    Join Date
    2014-07-07
    Posts
    4
    Rep Power
    0

    Default What are the issues in active-active scenario?

    All the firewalls in our environment were configured with active-standby. We have a new set of 12000 series appliances where our solution architect is asking us to configure active-active scenario.I have seen most of the companies environments have active-standby.Are there any real issues with this active-active kind of approach on firewalls?.

  2. #2
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by muralidkosaraju View Post
    All the firewalls in our environment were configured with active-standby. We have a new set of 12000 series appliances where our solution architect is asking us to configure active-active scenario.I have seen most of the companies environments have active-standby.Are there any real issues with this active-active kind of approach on firewalls?.
    While I believe most here will agree that it's better to run High Availability (active-standby) with properly sized hardware, Load Sharing (active-active) is definitely a valid option in certain scenarios.

    The main consideration with configuration (and primary source of most "issues") is simply whether to use Multicast or Unicast, and that decision usually comes down to switching equipment. In short, if your switches can support muticast ARP, then muticast is the way to go. If not, then unicast is the only option. It's not as "clean", and in some situations doesn't perform quite as well, but it's usually viable.

    Also, please keep in mind that if performance dictates that you use 2 gateways in a load-sharing cluster, then maintaining high-availability would require a third. I see it far too often that someone has gone from a high-availability deployment to a 2-gateway load-sharing cluster (for performance reasons), while forgetting that a failure of one of the members would leave them without the performance they now require. True HA/LS requires an N+1 architecture.

    I'm sure others will chime in here as well. To help, did your solution architect give you a reason?

    Also, please do not cross-post in multiple forums. Most members here review all new posts, regardless of where you put it. I deleted your other thread.

    -E

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by alienbaby View Post

    1. Regardless of the Active/Active method, you can never get more bandwidth through the cluster as a whole, than you could through a single node. In my testing Active/Active added up to 15% to the cpu, and lowered overall cluster throughput by 5% to 15%.

    2. If you have a requirement for full throughput during a failure, then you can never allow a given node to exceed 50% of its capabilities. If both nodes are doing 70% and one fails, then the remaining node is suddenly having to do 140% of it's capabilities.

    3. Troubleshooting is far more complicated for a Active/Active cluster than an Active/Standby cluster.

    4. Configuration is exponentially more complicated. If you're going to do true Active/Active, then you're need to prepare/configure the switches around the cluster. The switches will need to be mid to high end switches that allow static cam entries, static ARP, IGMP disabling etc. If the firewalls and network gear are managed by two different teams, then you're looking at a political nightmare.

    5. Causes interoperability issues between the Active/Active cluster and Layer 2 sticky devices (Cisco ASA, Cisco WLC, Cisco CSM, ALL Load Balancers) within directly connected VLANs.

    At the end of the day, Active/Active, without Hardware load balancers, is a complete waste of time/effort. And adds time and effort for care and feeding, adds/moves/changes, troubleshooting etc.

    From a thread in 2010.. https://www.cpug.org/forums/archive/...p/t-14821.html

    Active/Active clusters do not improve performance. The decision function actually robs the cluster of throughput...

    What is the reasoning being given to you in the request to convert to active/active? What problem does he/she believe they are solving as they create additional problems?

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by EricAnderson View Post
    I'm sure others will chime in here as well. To help, did your solution architect give you a reason?
    My guess is that the architect recommended Active-Active for one of these reasons:

    1) To fully utilize existing hardware without having one of the firewalls "sitting around doing nothing" in an active-passive setup. However the passive member isn't really "doing nothing", it is taking sync updates and backing up the active member if it fails! Not really a valid reason in my opinion.

    2) The firewalls purchased may be somewhat underpowered for what they are being asked to do from a throughput or feature perspective. In that case the poor performance scenario mentioned by Eric could definitely manifest itself if an N+1 design (3 cluster members in this case) is not utilized.

    3) The two members of the Active-Active cluster will be located at geographically disparate sites (for example one at the main site and the other one at the Disaster Recovery [DR] site) and there is a need to potentially support asymmetric routing of packets through the two sites in various partial failure or dynamic routing scenarios. I've never been a fan of designing asymmetry into networks but in certain cases like that it can be justified, but sometimes it is just to compensate for a questionable design that is already in place.

    In case it is not clear, I am definitely not a fan of active-active if it can be avoided.

  5. #5
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    16

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by ShadowPeak.com View Post
    My guess is that the architect recommended Active-Active for one of these reasons:
    Aren't Nokia's using VRRP set to active/active by default? Not sure if Gaia is similiar...
    Its all in the documentation.

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by melipla View Post
    Aren't Nokia's using VRRP set to active/active by default? Not sure if Gaia is similiar...
    I don't think so, do you mean Nokia Clustering instead? Nokia clustering and its active-active capabilities did not make it into Gaia.

  7. #7
    Join Date
    2014-07-07
    Posts
    4
    Rep Power
    0

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by EricAnderson View Post
    While I believe most here will agree that it's better to run High Availability (active-standby) with properly sized hardware, Load Sharing (active-active) is definitely a valid option in certain scenarios.

    The main consideration with configuration (and primary source of most "issues") is simply whether to use Multicast or Unicast, and that decision usually comes down to switching equipment. In short, if your switches can support muticast ARP, then muticast is the way to go. If not, then unicast is the only option. It's not as "clean", and in some situations doesn't perform quite as well, but it's usually viable.

    Also, please keep in mind that if performance dictates that you use 2 gateways in a load-sharing cluster, then maintaining high-availability would require a third. I see it far too often that someone has gone from a high-availability deployment to a 2-gateway load-sharing cluster (for performance reasons), while forgetting that a failure of one of the members would leave them without the performance they now require. True HA/LS requires an N+1 architecture.

    I'm sure others will chime in here as well. To help, did your solution architect give you a reason?

    Also, please do not cross-post in multiple forums. Most members here review all new posts, regardless of where you put it. I deleted your other thread.

    -E
    He did not give me any reason why we are going for the active-active setup may be he don't want see the firewall sitting idle. We have some ftp traffic that need to pass through these firewalls. I believe ftp service likes to stay on one firewall than to split the traffic in between two different firewalls.Does the ftp work in active-active scenario?
    Last edited by muralidkosaraju; 2015-01-05 at 11:23.

  8. #8
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by muralidkosaraju View Post
    He did not give me any reason why we are going for the active-active setup may be he don't want see the firewall sitting idle. We have some ftp traffic that need to pass through these firewalls. I believe ftp service likes to stay on one firewall than to split the traffic in between two different firewalls.Does the ftp work in active-active scenario?
    Don't worry about services like FTP. Connection "stickiness" can be configured (and is by default) to make sure that packets within the same connection are handled by the same member.

    Again, while I'm not a huge fan of active-active, get a reason from him. That will help us guide you better, either in support of it or against it.

    -E

  9. #9
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by EricAnderson View Post
    Don't worry about services like FTP. Connection "stickiness" can be configured (and is by default) to make sure that packets within the same connection are handled by the same member.

    Again, while I'm not a huge fan of active-active, get a reason from him. That will help us guide you better, either in support of it or against it.

    -E
    I worked in an environment where active-active (unicast 70/30) was deployed and it was a PITA to manage and troubleshoot. Sometime, it just stopped working for no reason. Not to mention the fact that every time you need to run tcpdump, you have to do that on both firewalls. When it comes to running multicast on the firewalls, it is a nightmare. Definitely not recommended.

    The guy who recommended Active/Active configuration probably never work a day in an operational environment. My motto is KISS (Keep It Simple Stupid)

  10. #10
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    8

    Default Re: What are the issues in active-active scenario?

    I fully agree with the other guys opinion to keep it simple. If you run active-active, troubleshooting gets much more complex, and as already mentioned, you need a 3-node cluster to gain high availabilty. active-active is a self-seller term for management consultants, but an ugly setup for the poor admins and operators digging in the bits.

  11. #11
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by muralidkosaraju View Post
    He did not give me any reason why we are going for the active-active setup may be he don't want see the firewall sitting idle. We have some ftp traffic that need to pass through these firewalls. I believe ftp service likes to stay on one firewall than to split the traffic in between two different firewalls.Does the ftp work in active-active scenario?
    Human psychological weakness is the true reason why most active/active clusters exist.

    The real result is that lots of additional complexity is introduced, and with lots of additional failure conditions and lowering of mean time between failures. It's like a drug. To solve one problem, take this pill; oh and you'll experience these three side effects. For which we have other drugs and associated side effects and so on and so on..

    Before you know it, you've got a overly complex network that no one can control/fix/troubleshoot/understand/change/upgrade. And then you're calling me, and paying my big rates to pull it all apart and restore your stability.

  12. #12
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: What are the issues in active-active scenario?

    Quote Originally Posted by muralidkosaraju View Post
    He did not give me any reason why we are going for the active-active setup may be he don't want see the firewall sitting idle. We have some ftp traffic that need to pass through these firewalls. I believe ftp service likes to stay on one firewall than to split the traffic in between two different firewalls.Does the ftp work in active-active scenario?
    For traffic like that there are options known as Sticky Connections which instead of distributing through the active-active nodes will attempt to keep the traffic for a connection through a single node. Have a read through sk31533 and will see the part regarding FTP support.
    However also please note that SecureXL is turned off when using Sticky Connections.

    This will mean that connections are not accelerated which depending upon your traffic type may or may not be occurring anyway.

    As you would normally turn SecureXL off when troubleshooting anyway this may not be an issue.

    However I would insist on a reason as to why is favouring Active-Active, and if cannot provide one stick with the Active-Standby system. It works, makes troubleshooting much simpler, and no doubt yourself will be the person who has to maintain it not the solution-architect

  13. #13
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: What are the issues in active-active scenario?

    One other piece of information to add to the "Active/Active is a bad idea" argument is chain forwarding.
    Particularly in asymmetric situations, some traffic must be forwarded to the original node who saw the traffic to do correct security enforcement.
    This happens most often with IPS but can also happen with App Control and other blades that use the same underlying infrastructure.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Can I configure Active-Active (Load Sharing) + Management HA on two UTM-1 appliances?
    By aberfoyle in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-09-21, 23:00
  2. Replies: 0
    Last Post: 2011-09-20, 22:09
  3. Replies: 3
    Last Post: 2011-07-06, 01:12
  4. SPLAT NGx R65 2.4 kernel Active/Active Multicast mode
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-09-17, 15:03
  5. Urgent: ClusterXL Active/Active Unicast mode and icmp issue
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 14
    Last Post: 2008-09-04, 13:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •