Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Philip_W
Contributor

ClusterXL active-active vs active-passive

Hi CheckMates!

We are going to implement new CheckPoint clusters to replace the ageing Juniper firewalls. I was going to install 2 HA Active-Passive clusters, each with 2 IP addresses + VIP per WAN link but the ISP's design does not allow this.

ISP is suggesting the following:

- Site1 GW1 uses the Active Layer3 link with IP address a.a.a.x/31 for internet access

- Site1 GW2 uses the Active Layer3 link with IP address b.b.b.x/31 for connections between sites via IPSEC

- Site2 GW1 uses the Active Layer3 link with IP address c.c.c.x/31 for internet access

- Site2 GW2 uses the Active Layer3 link with IP address d.d.d.x/31 for connections between sites via IPSEC

(Apparently "on Juniper you can use a WAN link on the Active member, and another active WAN link on the Passive member")

If you ask me, this cannot be done in a CheckPoint Active-Passive setup. At a minimum I'll need an Active-Active load sharing cluster, but then I imagine I'll run into issues using different subnets on the WAN interfaces of each cluster member.

What is your opinion? Any suggestions?

Kind regards

Ph.

5 Replies
G_W_Albrecht
Legend
Legend

Why do you need two IP addresses per cluster ? Using VIP you have one IP per ha cluster only...

CCSE CCTE CCSM SMB Specialist
Gaurav_Pandya
Advisor

Generally I would prefer Active/Passive mode in cluster environment. You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Memory.

Below are some drawbacks of active/active mode.

SecureXL does not support load balancing

SK42359 - SecureXL and Sticky decision function in ClusterXL Load Sharing Mode

SK65486 - Features not supported by Sticky Decision(SDF)

SK31680 - Load sharing mode with SDF

0 Kudos
Marco_Valenti
Advisor

good luck with that

0 Kudos
Jerry
Mentor
Mentor

hi Phil

that's saying at least a little bit overcomplicated design, all you need is as Guenter suggested:

1 VIP IP per claster on each interface (with sync) and other interfaces as designed with physical x 2 and VIP on each

1 VIP on each WAN side towards CPE from the same subnet with /mask etc. - nothing really as complicated as you've described. I think this entire design is an attempt of migrating Juniper Netscreen devices to GAIA am I right ? Smiley Happy

make it simple and do follow mentioned SK's - all you need is the HA Active/Passive (Active/Active with LSM mode is not really very up2date architecture any longer - see Valeri posts from few weeks ago) - you don't need A/A LSM nor A/A - all what's needed is a proper "subnetting" and structure of vlans/subnets/interface's design - that's all.

For the sake of IPSec - don't pay attention to this, IPSec peers can be terminated on each Gateway VIP IP address and there is no need for anything to worry about - just valid routing table and off we go  

All the best

Jerry

Jerry
Philip_W
Contributor

Hi All,

Thanks for your replies - great to see Checkmates in action and helping me out. I'll try to return the favour later!

@Jerry:

Indeed:

- The guys at the ISP are used to working with Juniper

- In my first meeting with them, first thing I said was: I'm going to need 3 IPs per link, because I want to work with HA clustering & VIP.

Thank you for confirming that I was on the right track!

Best regards,

Philip

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events