https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58103#M84981 Hi,<BR />We are using take 317. SK which you have shared is for stability issue, we dont have any stability issue. My concern is regarding the state of Active firewall which goes down when Sync link goes down.<BR /><BR />Thank you Fri, 12 Jul 2019 12:22:51 GMT Sumedh_Gujar 2019-07-12T12:22:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58030#M84977 <P>Hi,</P><P>I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode.&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>Sumedh</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Jul 2019 14:04:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58030#M84977 Sumedh_Gujar 2019-07-11T14:04:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58053#M84978 <P>Use a LACP bond interface in HA mode for your sync. This is the sulution to secure your sync interface.</P> <P>More informations can you found here:</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/R80-30-cheat-sheet-ClusterXL/td-p/41693" target="_self">R80.30 cheat sheet - ClusterXL</A></P> Fri, 12 Jul 2019 09:06:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58053#M84978 HeikoAnkenbrand 2019-07-12T09:06:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58101#M84979 <P>Refer also&nbsp;<SPAN>sk133372 are you using</SPAN>&nbsp;JHF T343 or above?</P> <P>(When you say sync is going down how is it normally connected to a switch or directly to the peer gateway.)</P> Fri, 12 Jul 2019 13:52:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58101#M84979 Chris_Atkinson 2019-07-12T13:52:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58102#M84980 Thanks for your suggestion, we will check and try for LACP to avoid single link failure. Fri, 12 Jul 2019 11:46:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58102#M84980 Sumedh_Gujar 2019-07-12T11:46:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58103#M84981 Hi,<BR />We are using take 317. SK which you have shared is for stability issue, we dont have any stability issue. My concern is regarding the state of Active firewall which goes down when Sync link goes down.<BR /><BR />Thank you Fri, 12 Jul 2019 12:22:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58103#M84981 Sumedh_Gujar 2019-07-12T12:22:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58148#M84982 Please review the details of the SK closer specifically regarding SYNC. Sat, 13 Jul 2019 10:53:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58148#M84982 Chris_Atkinson 2019-07-13T10:53:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58150#M84983 <P>Or you can also set up 2nd sync link over lowest VLAN on any of interfaces.<BR />In some cases, we temporary used External interface as Sync, although&nbsp;such a configuration is not recommended by Check Point.</P> Sat, 13 Jul 2019 11:30:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58150#M84983 JozkoMrkvicka 2019-07-13T11:30:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58151#M84984 sk92804 outlines why multiple sync interfaces aren't recommended (performance impact) and the preference for bonds. Sat, 13 Jul 2019 11:48:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58151#M84984 Chris_Atkinson 2019-07-13T11:48:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58260#M84985 <P>I just crosschecked what I memorized and I remembered it right.&nbsp;<SPAN><A title="Sync Redundancy in ClusterXL" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92804" target="_blank" rel="noopener">sk92804</A> says:</SPAN></P><P><EM>Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy <U><STRONG>is&nbsp;not&nbsp;supported</STRONG></U> for the following reasons: […]</EM></P><P>&nbsp;</P><P>Multiple sync interfaces are not just "not recommended" but "not supported". In my opinion this is a stricter statement.</P> Mon, 15 Jul 2019 13:39:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58260#M84985 Oliver_Fink 2019-07-15T13:39:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58339#M84986 <P>Got the points in&nbsp;<SPAN>sk92804. We can follow the steps mentioned in that SK.&nbsp;&nbsp;</SPAN></P> Tue, 16 Jul 2019 09:53:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58339#M84986 Sumedh_Gujar 2019-07-16T09:53:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58693#M84987 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/20865">@Sumedh_Gujar</a>,</P><P>&nbsp;</P><P>Even that most of the comments are on how to prevent losing SYNC connection I want to step back you your original question.</P><P>If I can correctly the question is actually - will there be split-brain (active-active) situation if the sync link is down?</P><P>The answer is no. In contrast to other vendors, Checkpoint is using <STRONG>all cluster interfaces</STRONG> to monitor the member. This means that if the sync link is down, the FW will check if it still receive ccp packets from the other member through any of the cluster interfaces. You will probably loose connection table synchronization (if I am not wrong, connection sync will happen only via sync link, but heartbeat monitoring is via all cluster interfaces), but no split-brain scenario should occur. A failover will occur, because the active member will report interface down, the second member will become active ( attention) since it also has interface down.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Jul 2019 09:42:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58693#M84987 Alexander_Asta1 2019-07-22T09:42:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58793#M84988 Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/26764">@Alexander_Asta1</a>,<BR />Thanks for your explanation, this has helped me to clear my confusion. Tue, 23 Jul 2019 09:47:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Behavior-of-HA-cluster-when-SYN-link-is-down/m-p/58793#M84988 Sumedh_Gujar 2019-07-23T09:47:17Z