topic Re: ElasticXL SYNC redundancy in Firewall and Security Management

ElasticXL SYNC redundancy

Wolfgang — Tue, 28 Apr 2026 09:24:29 GMT

We want to have redundancy for the SYNC connection in a ElasticXL cluster (2 appliances).

SYNC is a BOND and it's possible to add additional interface to this BOND. We want to use one connection direct connected between the two appliances and another one via switches. With this we can't configure the BOND as LACP-channel, because both ends of the BOND are not on the same devices.

But how about configuring the BOND as active/backup ? Not both are active but if one is failing the second is used.

I don't know which BOND mode is used by default for the SYNC Bond.

Re: ElasticXL SYNC redundancy

Chris_Atkinson — Tue, 28 Apr 2026 09:49:12 GMT

I'm fairly certain the Sync-bond is active-backup by default.

You may check it using:

[Expert@EXL-s01-01:0]# clish -c "show configuration" | grep 1024

Re: ElasticXL SYNC redundancy

Bob_Zimmerman — Tue, 28 Apr 2026 14:24:14 GMT

It definitely is active-backup by default.

[Expert@DallasticXL-s01-01:0]# clish -c "show configuration" | grep 1024 add bonding group 1024 set bonding group 1024 mode active-backup set bonding group 1024 primary eth1-Sync set bonding group 1024 xmit-hash-policy layer2 add bonding group 1024 interface eth1 add bonding group 1024 interface eth1-Sync

Note that active-backup doesn't test the alternate paths. If it's active on the direct-cabled path and that fails for some reason, you might discover the switched path failed some time ago without being noticed.

I personally prefer round-robin for this reason, though with round-robin, you can end up in a situation where one member's link to the switch has failed. The symptom of this is the member with the bad link can reliably send traffic to other members, but it can't reliably receive traffic from them.

Re: ElasticXL SYNC redundancy

Wolfgang — Tue, 28 Apr 2026 19:11:01 GMT

Thanks @Bob_Zimmerman and @Chris_Atkinson for your suggestions. I really understand the behaviour with active/backup and the problematic two links from gateway to switch. I prefer a LACP bond, with LACP a probing is done and it’s known which link is working. But our customer prefer to use the mentioned links.