topic Re: Full mesh redundancy HA cluster in Firewall and Security Management

Full mesh redundancy HA cluster

Nima_Chogyal — Thu, 15 Dec 2022 10:45:47 GMT

Im trying to make a full mesh redundancy on my HA cluster. I have read the admin guide but it says nothing on how to configure a full mesh redundancy. I created bond interfaces(802.3ad) which has two sub interfaces on each of the gateways. I have two core switches and configured LACP on it. The network is up but i am not able to ping the secondary gateway and i can see that the bond interface on the 2nd gateway is down while the bond interface on the primary is up.

regards,

Nima

Re: Full mesh redundancy HA cluster

G_W_Albrecht — Thu, 15 Dec 2022 11:01:10 GMT

>> I have read the admin guide but it says nothing on how to configure a full mesh redundancy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Bond-HA-in-Cluster-Fully-Meshed-Redundancy.htm

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Thu, 15 Dec 2022 11:14:49 GMT

Hi Albrecht,

I didnt see a topic on how i could configure the bond interfaces in a full mesh redundancy.

regards,

Nima

Re: Full mesh redundancy HA cluster

G_W_Albrecht — Thu, 15 Dec 2022 11:30:19 GMT

Here it states: Bonding provides High Availability of NICs. If one fails, the other can function in its place. But just read further:

Configuring a Bond Interface in High Availability Mode

On each Cluster Member, follow the instructions in the R81 Gaia Administration Guide - Chapter Network Management - Section Network Interfaces - Section Bond Interfaces (Link Aggregation).

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Thu, 15 Dec 2022 12:11:04 GMT

It still doesnt tell me on how to configure a full mesh redundancy .

regards,

Nima

Re: Full mesh redundancy HA cluster

G_W_Albrecht — Thu, 15 Dec 2022 13:06:31 GMT

Did you study all relevant topics from start of the ClusterXL Admin Guide ?

Re: Full mesh redundancy HA cluster

the_rock — Thu, 15 Dec 2022 13:45:03 GMT

K, lets start with basics...if you say those interfaces are down on backup member, can you send output of below in clish:

Lets assume interface name is bond007

show interface bond007

Then from expert mode run below:

cpstat fw -f interfaces

cpstat fw -f all

Please send output of everything (please blour out any sensitive info).

Cheers.

Re: Full mesh redundancy HA cluster

Bob_Zimmerman — Thu, 15 Dec 2022 16:46:46 GMT

You keep saying "full mesh redundancy". Could you define exactly what you mean by that for us? That term isn't meaningful on its own without further information. A diagram may be helpful.

What sorts of faults are you trying to defend against?

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Fri, 16 Dec 2022 04:01:49 GMT

By Full mesh redundancy i mean something like this..

When i run the command cphaconf show_bond bond1 all the slave interfaces are shown as active on both the checkpoint gateways but the status of the bond interface is shown as down on the gateway which is currently on standby and UP on the gateway which is currently taking the network load.

Re: Full mesh redundancy HA cluster

emmap — Fri, 16 Dec 2022 07:03:24 GMT

On the switches, have you configured two separate LACP bonds (one per gateway with two interfaces each) or one big one with all four interfaces?

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Fri, 16 Dec 2022 12:58:22 GMT

On the switch i have configured one lacp interface with four slave interfaces.

Re: Full mesh redundancy HA cluster

the_rock — Fri, 16 Dec 2022 13:26:39 GMT

In my 15 years dealing with CP, I had never seen that before. Not saying its not possible, but cant really find any documentation about it either.

Re: Full mesh redundancy HA cluster

Bob_Zimmerman — Fri, 16 Dec 2022 14:44:46 GMT

So 4 and 5 are two physically separate switches capable of multi-chassis link aggregation (Cisco MEC, vPC, or similar)?

There is no way to have a single aggregate link with members on multiple Check Point servers.

Separately, I cannot advise more strongly against using multi-chassis link aggregation technologies. They lead to bad availability design elsewhere, which causes outages to be both more frequent and much more severe than they would have been. I say this from direct personal experience.

Re: Full mesh redundancy HA cluster

_Val_ — Mon, 19 Dec 2022 11:05:44 GMT

Why would you do it as shown? I also second what @Bob_Zimmerman said, this looks like a bad design.

Re: Full mesh redundancy HA cluster

G_W_Albrecht — Mon, 19 Dec 2022 11:32:00 GMT

Look: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/B...

Re: Full mesh redundancy HA cluster

_Val_ — Mon, 19 Dec 2022 11:38:44 GMT

Sorry, you are right 🙂 Removed my previous comment. This is... interesting

Re: Full mesh redundancy HA cluster

Bob_Zimmerman — Mon, 19 Dec 2022 15:51:57 GMT

I don't think I've seen that documentation before. Interesting.

It's talking about active/backup transmit link selection (e.g, set bonding group 0 mode active-backup). This topology can't be achieved with LACP. The switches should not be aware of the link aggregation. As far as they are concerned, the ports leading to the firewalls are plain access or tagged ports.

While that would be functional, it has some complicated availability implications. Active/backup bonds receive on all members, but only transmit on one. Only loss of layer 2 link would cause the firewall to switch to the alternate interface. If something failed past the immediately-connected switches causing traffic through only one to work, the firewalls are unlikely to be able to tell. It might be possible for ClusterXL to tell as long as fw1 was using switch 4 primarily and fw2 was using switch 5 primarily. Then, if a link between the switches failed, the cluster heartbeats on that interface would fail, which could cause a failover of the firewall cluster. To maintain this pathing, you would need to specify a primary link for the bond (e.g, set bonding group 0 primary eth2).

I would test this extensively before depending on it.

Edit: No, wait. If each switch is operating correctly in isolation, but one of them has no access to the broader network, the cluster heartbeats wouldn't fail. fw1 would transmit to switch 4, which is still able to get to fw2. fw2 would transmit to switch 5, which is still able to get to fw1.

I'm not sure there's a good way to get this topology to tolerate failures which cut one of the switches off from the broader network.

Re: Full mesh redundancy HA cluster

the_rock — Mon, 19 Dec 2022 22:40:37 GMT

I honestly never seen that part of doc before, I guess my "searching" skills are not as good as yours Guenther : - )

Andy

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Tue, 20 Dec 2022 04:22:17 GMT

Yeah, theres no proper documentation on how we can achieve a full mesh redundancy... it only says we can do it.. I have read countless documentation at this point and i stumbled on R81.10 clusterXL documentation which tells us about group bonding. dont know if that will work on r80.10..

Re: Full mesh redundancy HA cluster

Nima_Chogyal — Tue, 20 Dec 2022 04:28:24 GMT

4 and 5 are two physically separate servers and the switch is using ciscos stackwise virtual domain