topic Re: Can we avoid the promiscuous mode for vSEC clustering ? in Cloud Firewall

Can we avoid the promiscuous mode for vSEC clustering ?

Cyprien_Leseurr — Thu, 28 Sep 2017 08:02:38 GMT

I work since few weeks on the virtualization of checkpoint security gateways. And to allow HA protocol (CCP) in order to create a clusterXL, I had to enabled the promiscuous mode on vmware.
So I was wondering if there was not another solution.
If not, is there some best pratices to avoid route causes on datacenters (packet loss for example) ?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

PhoneBoy — Thu, 28 Sep 2017 20:46:26 GMT

I'm not sure what you mean by "route causes."

In general, the CCP packets (which are Multicast by default) are there to determine reachability/availability of the cluster members on interfaces.

You can potentially switch ClusterXL mode to Broadcast mode: How to set ClusterXL Control Protocol (CCP) in Broadcast / Multicast mode in ClusterXL

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Cyprien_Leseurr — Tue, 03 Oct 2017 14:18:38 GMT

Actually it may not be the right term.

In order "to determine reachability/availability of the cluster members on interfaces", we must authorize the promiscuous mode on the vSwitch in VMware (both Broadcast and Multicast)

And I have some packet loss in my datacenter due to this mode , so I search some best practices to avoid this mode or reduice its impact.

But I didn't find yet informations about this (in forum or in CP docs).

For information, we use vSphere 5.5.

Maybe you have another idea ?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

PhoneBoy — Tue, 03 Oct 2017 15:33:10 GMT

Unfortunately, ClusterXL in its various forms requires multicast or broadcast packets, so this mode is required.

Its use is commensurate with the amount of traffic being passed by the cluster.

Perhaps you can limit it's impact by reducing the number of devices directly connected to the same vSwitches as the vSEC instances.

As this sounds like a VMware issue, have you engaged with them at all?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Cyprien_Leseurr — Tue, 03 Oct 2017 15:45:31 GMT

You have perfectly right. It's indeed a VMware issue and it would seem that we must upgrade our vSphere plateform to version 6.

With v6 we could use multicast without promiscuous mode but I would have liked to have Checkpoint confirmation that this is the best practice.

By the way thanks for your response.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Vladimir — Wed, 04 Oct 2017 17:38:03 GMT

The packet loss you are referring to may be due to the broadcast control configured on physical switches your ESXi servers are connected to.

Please verify if there are any settings limiting broadcast set on the ports corresponding to NICs that have port groups and vSwitches assigned to the ClusterXL members.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Cyprien_Leseurr — Mon, 09 Oct 2017 09:34:14 GMT

Thank you, I will check this lead with the virtualization infrastructure team.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Fri, 31 May 2019 20:29:34 GMT

Hello , Is there any way to avoid promiscuous mode with R80.20 or R80.30?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Zach_S — Sun, 02 Jun 2019 03:05:10 GMT

Why do you need promiscuous mode? Do you have VMAC enabled?

Also, CCP supports unicast mode of operation as of R80.30 (need to configure it).

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Mon, 03 Jun 2019 05:12:21 GMT

Hello I tried with R80.20, I configured unicast mode, but the sync lync still showing down, I read that promiscuos mode still mandatory to syncronize the cluster, if you have any material or configuration manuals will be great.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Wed, 05 Jun 2019 20:14:26 GMT

Hello two gw with dvswitch , its configured as unicast, the sync interface remains down. This lab is with version r80.20

Each interface has its own portgroup.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Vladimir — Wed, 05 Jun 2019 20:21:43 GMT

@Pablo_Barriga , each interface or each pair of interfaces?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Wed, 05 Jun 2019 20:24:42 GMT

Each network adapter has its own portgroup.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Vladimir — Wed, 05 Jun 2019 20:27:34 GMT

@Pablo_Barriga , what i am trying to determine if your Sync interfaces of both cluster member are sharing the same portgroup. They should.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Wed, 05 Jun 2019 20:30:28 GMT

Yes each gw share the same portgroup with their segments, we have IP connectivity with all the IP address of each interface connected, but the sync still down. I haven´t try VMAC enabled yet

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Vladimir — Wed, 05 Jun 2019 20:32:36 GMT

Are the vSECs on the same host or on two different hosts?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Wed, 05 Jun 2019 20:49:21 GMT

Different hosts

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Vladimir — Wed, 05 Jun 2019 21:09:43 GMT

I suggest v-motioning the vSECs to the same, verifying that it works and if it does, moving them back to separate hosts and looking at the portgroup/dvswitch/physical switch to see where its getting lost.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Pablo_Barriga — Wed, 12 Jun 2019 23:34:48 GMT

Hello both gws are on the same host, but the cluster remains down, VMAC enabled.

Re: Can we avoid the promiscuous mode for vSEC clustering ?

G_W_Albrecht — Thu, 13 Jun 2019 11:35:44 GMT

I would involve TAC to resolve this...