topic Synchronization of VSs in VSX in Firewall and Security Management

Synchronization of VSs in VSX

JozkoMrkvicka — Sun, 26 Oct 2025 09:46:39 GMT

Hi guys,

I have a question which is related to synchronization interface on VSX running within VSLS mode.

If sync interface is not reachable between 2 VSX cluster members, one member will be Active, second Down. But what about status of VSs ? Sync interface is configured on VS0, but does it have impact also on every VS itself ? If sync interface is down on second VSX member, will also all VSs on second member go into down state ?

Another related question - if I reboot second VSX member (in down state) which cannot sync with active member due to issue with sync interface, will rebooted VSX go into active state including all VS? Means, split brain since former active node is all the time active, but second VSX member cannot check state of another VSX member, thus will go into active ?

Or is sync on all VSs done over lowest/highest VlANs, independent from sync interface configured on VS0 ?

Re: Synchronization of VSs in VSX

HeikoAnkenbrand — Sun, 26 Oct 2025 12:10:34 GMT

Hi @JozkoMrkvicka,

The status of a VS (Active / Standby / Down / Ready / Init / Backup) is determined through the Cluster Control Protocol (CCP) mechanism, combined with local health checks and internal synchronization logic.

The Cluster Control Protocol (CCP) operates on Layer 2 or Layer 3, depending on the configured ClusterXL mode (now only Unicast). It is managed by the cphad daemon and periodically exchanges Hello and State messages between cluster members. These messages include key data such as the Cluster ID, Member ID, VSX Instance ID, interface and synchronization status, and the cluster role (Active or Standby). Each Virtual System (VS) maintains its own unique Cluster ID and Member ID combination within CCP, ensuring logical separation between VS instances.

If the Sync interface fails, the VS instances should continue to maintain their cluster status Active, Standby, Backup (in configurations with three or more gateways) through the CCP protocol on the remaining interfaces.

Re: Synchronization of VSs in VSX

emmap — Mon, 27 Oct 2025 02:31:56 GMT

Sync being down will be an interface down and also sync failing, so the VSs will go Active(!)/Down/Down/Down. Also a failure of sync will cause any cluster to go Active(!)/Down, VS or SG.