topic Re: ClusterXL in Firewall and Security Management

ClusterXL

Moudar — Thu, 13 Nov 2025 13:10:10 GMT

Hi,

I have two gateways configured in a ClusterXL High Availability (HA) setup.
However, when I run the cphaprob -a if command, I notice that two interfaces (bond0.8 & bond0.2053) are showing as LS (Load Sharing) mode, and I’m not sure why.

I’ve checked the SmartConsole GUI but couldn’t find any option to change these interfaces from LS to HA mode.

there is no reason to have them in LS because they run very little traffic!

Could you please advise how to correct this?

cphaprob -a if CCP mode: Manual (Unicast) Required interfaces: 4 Required secured interfaces: 1 Interface Name: Status: Sync (S) UP Mgmt Non-Monitored eth1-01 UP bond0.8 (LS) UP bond0.2053 (LS) UP S - sync, HA/LS - bond type, LM - link monitor, P - probing Virtual cluster interfaces: 21 eth1-01 bond0.5 bond0.50 bond0.8 bond0.25 bond0.49 bond0.10 bond0.47 bond0.50 bond0.27 bond0.55 bond0.90 bond0.2053 bond0.41 bond0.70 bond0.56 bond0.27 bond0.53 bond0.940 vpnt10 vpnt11

So I’m wondering when and why these interfaces were configured to operate in Load Sharing (LS) mode, and how I can reconfigure them back to High Availability (HA) mode.

show cluster state Cluster Mode: High Availability (Active Up) with IGMP Membership

Re: ClusterXL

Chris_Atkinson — Thu, 13 Nov 2025 13:29:10 GMT

LS would be default (normal) for LACP / 802.3AD bonds I expect.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Topics-CXLG/Bond-Load-Sharing-Mode-in-Cluster.htm?tocpath=Advanced%20Features%20and%20Procedures%7CWorking%20with%20Bond%20Interfaces%20in%20Cluster%7CBond%20Load%20Sharing%20Mode%20in%20Cluster%7C_____0

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:31:10 GMT

Hey brother,

I see what Chris mentioned, makes total sense, it would indicate type of bond, as per output as well. here is output from my lab

[Expert@CP-FW-01:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 4
Required secured interfaces: 1

Interface Name: Status:

eth0 (LM) UP
eth1 (LM) UP
eth2 (LM) UP
eth3 (S-LM) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 3

eth0 172.16.10.246
eth1 192.168.10.246
eth2 172.31.10.246

[Expert@CP-FW-01:0]#

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:33:24 GMT

Im sure if you change below option, it would show way you want it.

Re: ClusterXL

Chris_Atkinson — Thu, 13 Nov 2025 13:37:37 GMT

Don't change this without considering the switch side configs unless you want to break it.

802.3AD is the defacto standard for bonds.

Re: ClusterXL

Moudar — Thu, 13 Nov 2025 13:40:51 GMT

but all other vlan interfaces are in the same bond interface which is bond0, so why only interface bond0.8 and bond0.2053 are LS?

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:41:03 GMT

Yep, forgot to mention that, super important!

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:45:38 GMT

Can you send a screenshot?

Re: ClusterXL

Chris_Atkinson — Thu, 13 Nov 2025 13:49:21 GMT

Because only the highest & lowest VLANs are relevant to that part of the output as monitored by ClusterXL.

If anything is odd it's why bond0.5 doesn't show there.

Re: ClusterXL

Moudar — Thu, 13 Nov 2025 13:55:42 GMT

you can see all interfaces belongs to same bond?!

bond0.5         
bond0.50         
bond0.8          
bond0.25        
bond0.49        
bond0.10        
bond0.47        
bond0.50        
bond0.27        
bond0.55        
bond0.90        
bond0.2053      
bond0.41       
bond0.70       
bond0.56      
bond0.27       
bond0.53      
bond0.940

i had other gateway here my bad

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:50:53 GMT

I totally remember now the case I had with TAC while back about this. Below sk is what they gave me.

https://support.checkpoint.com/results/sk/sk92826

Re: ClusterXL

Moudar — Thu, 13 Nov 2025 13:51:25 GMT

So i am not going to change any.
i only wonder why only 2 interfaces are LS

Re: ClusterXL

Moudar — Thu, 13 Nov 2025 13:52:27 GMT

so maybe it is vlan 5 i should investigate

Re: ClusterXL

the_rock — Thu, 13 Nov 2025 13:52:38 GMT

Hey brother, please refer to the sk I sent, it would be 100% relevant here, as Chris indicated.