This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rccou
Participant
‎2020-03-11 03:22 AM

BGP peering with ClusterXL across 2 sites - use a VIP

Hi,

We have 2 sites connected by a 10Gb circuit.  We have a pair of Firewalls running R80.30 set as Active/Standby using ClusterXL.

We have an  eBGP peering to a remote entity which uses the Cluster VIP on our side.

The problem, as noted yesterday during a downtime window for one of the sites, is that if we take a site down for maintenance the FWs stop talking to each other so they switch the Standby FW to Active and it takes over the VIP.  However this site was the one we had taken down therefore the whole company lost connection to the remote entity.

I read that it is best practice to use the VIP for ClusterXL and BGP but is that only really the case when both FWs are in the same rack?

If they are in different sites would it make more sense to have 2  eBGP peerings and an iBGP peering between them?

Is there going to be any problem with setting this up, due to them being essentially the same cluster?

Will this work?

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-03-11 06:17 AM

Could you please tell us more about your BGP configuration and process used to take a site offline?

Are you using graceful restart and is there only a single non-redundant path between the sites...

CCSM R77/R80/ELITE
0 Kudos
Rccou
Participant
‎2020-03-11 07:17 AM
In response to Chris_Atkinson

Hi Chris,

Taking the site offline was done by powering down the switches that connects the FW to the peer router.  It's a fibre across a DC. 

This would have also taken down the site to site cluster communications so it would trigger the cluster switchover. Here's another question: Would the VIP move from the old Active (would this go to Standby?) to the new Active or would they both keep the VIP independently?

The BGP peering is with a Juniper MX. It's completely basic eBGP.  Each FW has a peering to a different MX router, both coming from the same VIP. No iBGP between them.

(if it's done wrong or suboptimally then feel free to say - I inherited it)

Thanks

0 Kudos
Wolfgang
Authority
Authority
‎2020-03-11 07:26 AM

Rccou,

what you describe is normal behaviour with ClusterXL HA.

One node is active with the VIP and the other node is in standby.

If active is failing, then standby becomes active and the VIP will be active there.

Maybee you have a design problem for your needs and you are running better not using ClusterXL.

As an example one gateway as single instance in every location, both are active. And with dynamic routing internal and external (BGP, OSPF, BFD) you can build your redundancy.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events