CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 7 of 7

Thread: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

  1. #1
    Join Date
    2006-09-26
    Posts
    2,961
    Rep Power
    13

    Default R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    GAIA R77.30 with JHFA 205 clusterXL High Availability.

    1st sync is crossover interface between gw1 and gw2,
    2nd sync is an interface connected to a single switch from one of gw1 and gw2 interfaces. Same VLAN ofcourse.

    under normal state, gw1 is active and gw2 is standby.

    Now if I go into the switch and perform a "shutdown" on the switch port that the 2nd sync interface connected to gw1. Now "cphaprob state" on gw1 is shown as down. gw2 is now active

    Is that normal?

    I thought the purpose of 1st sync and 2nd sync is to provide redundancy and not for something like this happen.

    Thoughts?

  2. #2
    Join Date
    2015-12-23
    Posts
    47
    Rep Power
    0

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    From the cluster operation standpoint I think it is. cuz gw2 has more active interfaces so it would take over as the primary.

  3. #3
    Join Date
    2007-06-04
    Posts
    3,219
    Rep Power
    15

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    That is expected behaviour.

    From sk92804 - https://supportcenter.checkpoint.com...duct=ClusterXL,

    Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons:
    •By design, the Delta Sync traffic is duplicated on the sending cluster member on all the configured Synchronization Networks (the receiving cluster member checks all received Delta Sync packets and discards the packets that were already processed on one of the Synchronization Networks). This increases load on the CPU on all cluster members.
    •By design, if a cluster interface goes down (from cluster point of view), the member will go into "Down" state. This applies to Sync interfaces as well. Meaning, configuring multiple Synchronization Networks does not provide 100% sync redundancy.
    •Multiple Synchronization Networks are not supported in VSX.

    Note: The ability to configure multiple Synchronization Networks in a cluster object will still exist in SmartDashboard for unique special cases where the cluster administrator is unable to create Bond interfaces.


    As such when you bring down the Synch Interface on the Active Firewall but it remains up on the Standby then you get a failover as the Standby now has more Interfaces available.

  4. #4
    Join Date
    2006-09-26
    Posts
    2,961
    Rep Power
    13

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    Quote Originally Posted by mcnallym View Post
    That is expected behaviour.

    From sk92804 - https://supportcenter.checkpoint.com...duct=ClusterXL,

    Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons:
    •By design, the Delta Sync traffic is duplicated on the sending cluster member on all the configured Synchronization Networks (the receiving cluster member checks all received Delta Sync packets and discards the packets that were already processed on one of the Synchronization Networks). This increases load on the CPU on all cluster members.
    •By design, if a cluster interface goes down (from cluster point of view), the member will go into "Down" state. This applies to Sync interfaces as well. Meaning, configuring multiple Synchronization Networks does not provide 100% sync redundancy.
    •Multiple Synchronization Networks are not supported in VSX.

    Note: The ability to configure multiple Synchronization Networks in a cluster object will still exist in SmartDashboard for unique special cases where the cluster administrator is unable to create Bond interfaces.


    As such when you bring down the Synch Interface on the Active Firewall but it remains up on the Standby then you get a failover as the Standby now has more Interfaces available.
    Thank you very much for the detailed response. I understand the failover part; however, I guess I am still confused on why when the 2nd SYNC on the active gateway gw1, it marks the gateway as "down/Active" in instead of "Standby/Active". The message is kinda misleading, right?

  5. #5
    Join Date
    2007-06-04
    Posts
    3,219
    Rep Power
    15

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    Quote Originally Posted by cciesec2006 View Post
    Thank you very much for the detailed response. I understand the failover part; however, I guess I am still confused on why when the 2nd SYNC on the active gateway gw1, it marks the gateway as "down/Active" in instead of "Standby/Active". The message is kinda misleading, right?
    ClusterXL isn't distinguishing between a Synch Interface and a Cluster Interface. If an Interface is DOWN then the necessary interfaces for ClusterXL are not all there so the Member is marked as Down. Standby requires that all of the necessary interfaces are available still available, as the Interface is Down then the Interface isn't available.

    When you do a Bonded Interface for the Synch then if a port within the bond is down the bond is still up so won't mark as Down at the Cluster.

  6. #6
    Join Date
    2006-09-26
    Posts
    2,961
    Rep Power
    13

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    Quote Originally Posted by mcnallym View Post
    ClusterXL isn't distinguishing between a Synch Interface and a Cluster Interface. If an Interface is DOWN then the necessary interfaces for ClusterXL are not all there so the Member is marked as Down. Standby requires that all of the necessary interfaces are available still available, as the Interface is Down then the Interface isn't available.

    When you do a Bonded Interface for the Synch then if a port within the bond is down the bond is still up so won't mark as Down at the Cluster.
    Thanks again. How about this scenario? gw1 is active and gw2 is standby and 1st sync is a cross over cable between gw1 and gw2. 2nd sync is a cabled into a single switch for both gw1 and gw2.

    Now I go into the switch and shutdown the switch port on the 2nd SYNC on both gw1 and gw2. What will happen then? will it still be, from gw1 perspective, active/standby, down/active, standby/Active or down/down?

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    942
    Rep Power
    12

    Default Re: R77.30 with JHFA 205 1st Sync and 2nd Sync interface?

    Having two sync interfaces is no longer supported. Best you can do is to bond them.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 10
    Last Post: 2015-10-23, 11:20
  2. Expected sync traffic (sync bandwidth)
    By ChriFeh in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2015-03-24, 09:45
  3. Sync will not function since there aren't any sync(secured) interfaces
    By Wardrivn in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2009-08-17, 17:00
  4. Sync interface
    By Mindi in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2009-04-07, 08:30
  5. sync interface connectivity
    By bahuguna_praveen in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2007-09-21, 06:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •