topic Re: Checkpoint Active-Active Cluster in General Topics

Checkpoint Active-Active Cluster

Digo11 — Mon, 29 May 2023 05:46:47 GMT

Hello Checkmates.

Can I configure clusterXL in active-active load sharing and define which gateway shall process what amount of traffic?

For instance, I have two gateways configured to operate in ClusterXL active-passive mode. I want to use it in an active-active mode where GW1 could handle 70% of traffic and GW2 could handle the rest. Is it possible?

Problem Statement: If my throughput is 10GBPS and I could achieve it using an active-active with two security gateways, in case one GW fails my whole network would be impacted.

Thanks.

Digo.

Re: Checkpoint Active-Active Cluster

Blason_R — Mon, 29 May 2023 08:14:37 GMT

Load will automatically will be decided and I doubt you will be able to control it. however understand the limitation as well. If you have VPN blade running or mobile access - you wont be able to achieve A/A cluster.

Re: Checkpoint Active-Active Cluster

the_rock — Mon, 29 May 2023 12:38:27 GMT

There are some limitations as @Blason_R advised.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Content/Topics-CXLG/Active-Active-Mode.htm#Limitations

If I were you, I would not bother, active-passive is so much better...traffic handling, speed, no blade limitation.

Andy

Re: Checkpoint Active-Active Cluster

Chris_Atkinson — Mon, 29 May 2023 13:00:20 GMT

What hardware do you have?

Another option to considered here might be Maestro.

Re: Checkpoint Active-Active Cluster

the_rock — Mon, 29 May 2023 13:08:46 GMT

Also, to add to great point @Chris_Atkinson made, consider below even when creating load sharing cluster object in smart console. Too much headache for so many limitations...

Andy

https://support.checkpoint.com/results/sk/sk162637

Re: Checkpoint Active-Active Cluster

Timothy_Hall — Mon, 29 May 2023 13:15:22 GMT

To let the active gateways themselves determine/balance the load assignment between them, you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active), which as Blason said has major issues with VPNs. For Load Sharing Unicast there is a GUIdbedit variable called Pivot_overhead that can be adjusted to affect how assigned load is handled. For Load Sharing Multicast I would imagine there are probably some kernel variables that can be adjusted to affect load/connection assignment, but if there are they don't appear to be documented. But generally the Load Sharing modes are not a good idea due their complexity/limitations and I don't recommend them.

The newer Active/Active mode introduced in R80.40 (which is completely separate from Load Sharing) allows an external entity (Maestro Orchestrator, BGP/OSPF, F5, etc.) to decide which member should handle which traffic based on its own metrics (bandwidth, delay, load, reliability, MTU, etc). This would probably be the best way to achieve your objective but you'd have to assign/influence what the loads would be on the external device.

Re: Checkpoint Active-Active Cluster

PhoneBoy — Mon, 29 May 2023 15:59:15 GMT

A ClusterXL Active/Active of two gateways will at best give you 1.5x of the performance of a single gateway…if using multicast mode.
Not to mention the various limitations of being in ClusterXL Active/Active.
R82 with ElasticXL will provide a bit closer to 2x performance (similar to Maestro).
Regardless of the clustering technology, if you’re continually running a two node cluster at above what a single gateway does on its own, you’re setting yourself up for failure since a failure of one gateway will result in overloading the other gateway…

Re: Checkpoint Active-Active Cluster

Timothy_Hall — Mon, 29 May 2023 16:58:42 GMT

The SK you linked to state the limitations for ClusterXL Load Sharing, not the newer Active/Active. I think you meant this:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content/Topics-CXLG/Active-Active-Mode.htm#Limitations

The notable limitations for Active/Active is lack of support for VSX, and the inability to do a Hide NAT behind the cluster/virtual IP because there isn't one in Active/Active mode.

Re: Checkpoint Active-Active Cluster

the_rock — Mon, 29 May 2023 17:03:18 GMT

Good catch...I think its same link I posted, but yea, thats 100% one for clusterXL active-active.

Cheers,

Andy

Re: Checkpoint Active-Active Cluster

Timothy_Hall — Mon, 29 May 2023 17:18:04 GMT

Yeah when teaching CCSE I constantly catch myself using the term "Active/Active" when I mean Load Sharing. Doesn't help that Load Sharing was frequently referred to as Active/Active prior to R80.40. 🙄

Re: Checkpoint Active-Active Cluster

the_rock — Mon, 29 May 2023 17:19:31 GMT

Its sort of how Americans pronounce tomato and how british people say it...sounds different, but its the same thing 😂

Re: Checkpoint Active-Active Cluster

Blason_R — Mon, 29 May 2023 17:24:00 GMT

Nice catch - Yes I mean load sharing has a few limitations which I always faced.

Re: Checkpoint Active-Active Cluster

Digo11 — Tue, 30 May 2023 10:27:38 GMT

Hi @Timothy_Hall, The SK describes the active-active scenario for two different geographical areas which is not required in my case. Your other recommendation "you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active)" seems to be the answer I was looking for.

But looking at the complexity and limitations of implementing it by playing with kernel parameters would be a difficult task I guess. Thanks for the quick suggestion I will discuss it with my team further.

Regards,

Digo.

Re: Checkpoint Active-Active Cluster

the_rock — Tue, 30 May 2023 11:05:21 GMT

Based on all the links we gave you and what guys said, I would honestly stay away from it, not worth it.

Just my 2 cents...

Andy

Re: Checkpoint Active-Active Cluster

Matlu — Sat, 16 Sep 2023 01:42:39 GMT

Hello,

Following this thread, please, in your experience, have a Cluster in Load Sharing mode 30/70%.
Do you know if it also gives you "headaches" with the use of the Identity Awareness blade?

I have network users, that can only be seen on the Cluster member that is with the highest load %, but cannot be seen on the other member.

It is really becoming a terrible headache.
I inherited this architecture configured that way.
I don't know the reason why.

Is it natural, this behavior?

Greetings.