topic Re: Checkpoint Cluster Upgrade: VPN question in Firewall and Security Management

Checkpoint Cluster Upgrade: VPN question

ashah — Wed, 16 Jun 2021 21:11:30 GMT

Hello,

I am Planning to upgrade checkpoint cluster from R80.10 to R80.30 with "ZeroDown time" process.

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htm

we have a few site to site VPN from this cluster. During upgrade process, we have to failover primary firewall via applying #cpstop command. I want to know how VPN tunnels will be effected while upgrade process ? do i need to consider specific steps for VPN and/or mobile access blade configuration.

thanks in advance.

Re: Checkpoint Cluster Upgrade: VPN question

Tobias_Moritz — Thu, 17 Jun 2021 14:02:55 GMT

I suggest that you read the relevant sections of this guide completely, as answers to your questions are there (including much more).

You said you will use Zero Downtime approach. This is not non-disruptive at all. The name is somehow misleading - technically correct, but most people will assume more than meant here.

There are two other relevant upgrade modes (Connectivity Upgrade and Optimal Service Upgrade) which are better and can be non-disruptive for certain use cases. But you mentioned VPN and mobile access and here the guide clearly says: not supported.

The guide also gives special hints regarding custom Mobile Access configuration, which you have to take special care of, because it would not survive upgrade.

Re: Checkpoint Cluster Upgrade: VPN question

ashah — Thu, 17 Jun 2021 14:23:16 GMT

Thank you very much for your response,

this was the biggest confusion on that which method i should go for, customer do not want any downtime at all but checkpoint TAC support suggested "zero downtime" method.

when it says, VPN and mobile access are not supported, should i expect that VPN will go totally down and/or i will have to re-build them after the upgrade?

again, TAC told me that, VPN should survive as at least one cluster member will always be UP.

a lot of confusion on TAC's advice vs user guide.

please suggest.

Re: Checkpoint Cluster Upgrade: VPN question

Markus_Genser — Thu, 17 Jun 2021 14:45:53 GMT

Hello,

My experience with Zero Downtime upgrades were that firewall session are kept with a light packet loss (1 or 2 packets).

S2S tunnel will disconnect and need to reconnect, which will cause an outage for the tunnel.

Remote Access connections will also disconnect and need to reconnect.

I've done those upgrades from R77.30 to R80.20 and R80.20 to R80.40.

Re: Checkpoint Cluster Upgrade: VPN question

ashah — Thu, 17 Jun 2021 14:52:08 GMT

thanks a lot Markus for your input,

after i saw comment from Tobias, i was thinking to go with connectivity upgrade method. if zero down time method wont be able to keep connectivity UP all the time, what do you think ? please suggest.

zero down time process says to apply #cpstop command on older active cluster version, is this the correct approach you applied?

How long your upgrade took?

when you say i will have to reconnect VPN, can you elaborate this please? do i have to re-configure VPNs?

thanks for the help !!

Re: Checkpoint Cluster Upgrade: VPN question

Tobias_Moritz — Thu, 17 Jun 2021 14:53:39 GMT

From what the guide says, what sk107042 says and my own experience, I would say TAC advise is wrong.

Site to Site VPNs should recover automatically after a while, if they fail. Regarding RAS VPNs, I think it depends on the client and configuration. A manual reconnect may be needed.

I suggest using Connectivity Upgrade (MVC is a R80.40 feature) and live with the RAS-VPN and Mobile Access problems (and the other limitations). Non-traditional Site to Site VPNs should survive this upgrade method.

Re: Checkpoint Cluster Upgrade: VPN question

Tobias_Moritz — Thu, 17 Jun 2021 14:57:20 GMT

@Markus_Genser : The guide and the sk clearly say for Zero Downtime upgrade method:

Connections are not synchronized between cluster members running different Check Point software versions.
Connections that were initiated on a cluster members running the previous version are dropped when the cluster member is upgraded to a new version.
Requires a relatively short maintenance window for old connections to be dropped.

I cannot believe, that in your case "firewall session are kept with a light packet loss (1 or 2 packets)". How can this be possible, when connections are not synced?

Re: Checkpoint Cluster Upgrade: VPN question

Markus_Genser — Fri, 18 Jun 2021 06:11:35 GMT

Well experience from the field is always a bit different than the sk or user guide.

Yes, the sessions persist, but there is still a short window during the failover, that the whole switching needs to recalculate that the frames now leave on a different switch and port and this results in lost packets.

As the firewall still has the session, TCP control mechanism kicks in and resends the lost packet and ICMP & UDP simply don't care.