cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Behavior of HA cluster when SYN link is down

Hi,

I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. 

 

Thank you

Sumedh

 

 

10 Replies

Re: Behavior of HA cluster when SYN link is down

Use a LACP bond interface in HA mode for your sync. This is the sulution to secure your sync interface.

More informations can you found here:

R80.30 cheat sheet - ClusterXL

Tags (1)
Employee+
Employee+

Re: Behavior of HA cluster when SYN link is down

Refer also sk133372 are you using JHF T343 or above?

(When you say sync is going down how is it normally connected to a switch or directly to the peer gateway.)

0 Kudos

Re: Behavior of HA cluster when SYN link is down

Hi,
We are using take 317. SK which you have shared is for stability issue, we dont have any stability issue. My concern is regarding the state of Active firewall which goes down when Sync link goes down.

Thank you
0 Kudos

Re: Behavior of HA cluster when SYN link is down

Thanks for your suggestion, we will check and try for LACP to avoid single link failure.
0 Kudos
Employee+
Employee+

Re: Behavior of HA cluster when SYN link is down

Please review the details of the SK closer specifically regarding SYNC.
0 Kudos

Re: Behavior of HA cluster when SYN link is down

Or you can also set up 2nd sync link over lowest VLAN on any of interfaces.
In some cases, we temporary used External interface as Sync, although such a configuration is not recommended by Check Point.

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee+
Employee+

Re: Behavior of HA cluster when SYN link is down

sk92804 outlines why multiple sync interfaces aren't recommended (performance impact) and the preference for bonds.
Oliver_Fink
Nickel

Re: Behavior of HA cluster when SYN link is down

I just crosschecked what I memorized and I remembered it right. sk92804 says:

Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons: […]

 

Multiple sync interfaces are not just "not recommended" but "not supported". In my opinion this is a stricter statement.

0 Kudos

Re: Behavior of HA cluster when SYN link is down

Got the points in sk92804. We can follow the steps mentioned in that SK.  

0 Kudos

Re: Behavior of HA cluster when SYN link is down

Hi @Sumedh_Gujar,

 

Even that most of the comments are on how to prevent losing SYNC connection I want to step back you your original question.

If I can correctly the question is actually - will there be split-brain (active-active) situation if the sync link is down?

The answer is no. In contrast to other vendors, Checkpoint is using all cluster interfaces to monitor the member. This means that if the sync link is down, the FW will check if it still receive ccp packets from the other member through any of the cluster interfaces. You will probably loose connection table synchronization (if I am not wrong, connection sync will happen only via sync link, but heartbeat monitoring is via all cluster interfaces), but no split-brain scenario should occur. A failover will occur, because the active member will report interface down, the second member will become active ( attention) since it also has interface down.

 

 

 

0 Kudos