https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108626#M14681 <P>Hi all,</P><P>Thought this could be good knowledge to publish as this will no doubt, if not already, resulted in many calls to TAC.</P><P>I was working on a cluster for a customer recently - upgrading hardware and software.</P><P>Failover between the firewalls were taking 5 minutes during a simulated and unplanned outage. All the usual CXL and failover troubleshooting was done. Check Point side, it was solid. No problems with state sync.</P><P>I decided to enable vMAC which brought the whole network to life. Failover instant with no packet loss at all.&nbsp;<BR /><BR /></P><P>vMAC is literally designed for reasons like this, but it looks like Meraki doesn’t ‘support’ G-ARP.</P><P>A Citrix ADC user fell into the same issue here.</P><P><A href="https://community.meraki.com/t5/Switching/Meraki-MS-switching-and-Gratuitous-ARP-with-Citrix-ADC-Netscaler/td-p/93078" target="_blank" rel="nofollow noopener noreferrer">https://community.meraki.com/t5/Switching/Meraki-MS-switching-and-Gratuitous-ARP-with-Citrix-ADC-Net...</A></P><P>I think it would be useful for Check Point to publish this in order to assist customer first hand as the issue on first glance looks like the Check Points themselves.</P> Sun, 24 Jan 2021 01:15:35 GMT JackPrendergast 2021-01-24T01:15:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108626#M14681 <P>Hi all,</P><P>Thought this could be good knowledge to publish as this will no doubt, if not already, resulted in many calls to TAC.</P><P>I was working on a cluster for a customer recently - upgrading hardware and software.</P><P>Failover between the firewalls were taking 5 minutes during a simulated and unplanned outage. All the usual CXL and failover troubleshooting was done. Check Point side, it was solid. No problems with state sync.</P><P>I decided to enable vMAC which brought the whole network to life. Failover instant with no packet loss at all.&nbsp;<BR /><BR /></P><P>vMAC is literally designed for reasons like this, but it looks like Meraki doesn’t ‘support’ G-ARP.</P><P>A Citrix ADC user fell into the same issue here.</P><P><A href="https://community.meraki.com/t5/Switching/Meraki-MS-switching-and-Gratuitous-ARP-with-Citrix-ADC-Netscaler/td-p/93078" target="_blank" rel="nofollow noopener noreferrer">https://community.meraki.com/t5/Switching/Meraki-MS-switching-and-Gratuitous-ARP-with-Citrix-ADC-Net...</A></P><P>I think it would be useful for Check Point to publish this in order to assist customer first hand as the issue on first glance looks like the Check Points themselves.</P> Sun, 24 Jan 2021 01:15:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108626#M14681 JackPrendergast 2021-01-24T01:15:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108627#M14682 <P>Useful tip, thanks for sharing.</P> Sun, 24 Jan 2021 01:18:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108627#M14682 PhoneBoy 2021-01-24T01:18:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108629#M14684 <P>Great tip.&nbsp; I mentioned this effect in my Max Power 2020 book and called it a "slow" failover, also mentioning the fact that some devices don't accept gratuitous ARPs because they track "state" for ARP and will reject an ARP Reply that they did not explicitly request.&nbsp; Generally leaving "Enable VMAC" UNchecked is recommended unless a slow failover is encountered, as the default Gratuitous ARP mechanism does the job on most networks; VMAC mode can cause additional issues in some cases if portfast is not set on the switchports the firewall is attached to.</P> Sun, 24 Jan 2021 02:44:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108629#M14684 Timothy_Hall 2021-01-24T02:44:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108654#M14699 <P>Well, that’s exactly what I referred to when I was stood staring at the screen looking confused! I remembered something in your book and went to have a look.</P><P>I don’t ever use vMAC for any deployment but it’s a great remedy. Thanks Tim</P> Sun, 24 Jan 2021 10:25:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Notice-regarding-clusterXL-failover-and-Cisco-Meraki/m-p/108654#M14699 JackPrendergast 2021-01-24T10:25:00Z