Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Digo11
Contributor
Jump to solution

Checkpoint Active-Active Cluster

Hello Checkmates.

 

Can I configure clusterXL in active-active load sharing and define which gateway shall process what amount of traffic?

For instance, I have two gateways configured to operate in ClusterXL active-passive mode. I want to use it in an active-active mode where GW1 could handle 70% of traffic and GW2 could handle the rest. Is it possible?

Problem Statement: If my throughput is 10GBPS and I could achieve it using an active-active with two security gateways, in case one GW fails my whole network would be impacted.

 

Thanks.

Digo.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

A ClusterXL Active/Active of two gateways will at best give you 1.5x of the performance of a single gateway…if using multicast mode.
Not to mention the various limitations of being in ClusterXL Active/Active.
R82 with ElasticXL will provide a bit closer to 2x performance (similar to Maestro).
Regardless of the clustering technology, if you’re continually running a two node cluster at above what a single gateway does on its own, you’re setting yourself up for failure since a failure of one gateway will result in overloading the other gateway…

View solution in original post

14 Replies
Blason_R
Leader
Leader

Load will automatically will be decided and I doubt you will be able to control it. however understand the limitation as well. If you have VPN blade running or  mobile access - you wont be able to achieve A/A cluster.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend

There are some limitations as @Blason_R advised. 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Content/Topic...

If I were you, I would not bother, active-passive is so much better...traffic handling, speed, no blade limitation.

Andy

Chris_Atkinson
Employee Employee
Employee

What hardware do you have?

Another option to considered here might be Maestro.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Also, to add to great point @Chris_Atkinson made, consider below even when creating load sharing cluster object in smart console. Too much headache for so many limitations...

Andy

 

Screenshot_1.png

 

https://support.checkpoint.com/results/sk/sk162637

Timothy_Hall
Legend Legend
Legend

To let the active gateways themselves determine/balance the load assignment between them, you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active), which as Blason said has major issues with VPNs.  For Load Sharing Unicast there is a GUIdbedit variable called Pivot_overhead that can be adjusted to affect how assigned load is handled.  For Load Sharing Multicast I would imagine there are probably some kernel variables that can be adjusted to affect load/connection assignment, but if there are they don't appear to be documented.  But generally the Load Sharing modes are not a good idea due their complexity/limitations and I don't recommend them. 

The newer Active/Active mode introduced in R80.40 (which is completely separate from Load Sharing) allows an external entity (Maestro Orchestrator, BGP/OSPF, F5, etc.) to decide which member should handle which traffic based on its own metrics (bandwidth, delay, load, reliability, MTU, etc).  This would probably be the best way to achieve your objective but you'd have to assign/influence what the loads would be on the external device.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin

A ClusterXL Active/Active of two gateways will at best give you 1.5x of the performance of a single gateway…if using multicast mode.
Not to mention the various limitations of being in ClusterXL Active/Active.
R82 with ElasticXL will provide a bit closer to 2x performance (similar to Maestro).
Regardless of the clustering technology, if you’re continually running a two node cluster at above what a single gateway does on its own, you’re setting yourself up for failure since a failure of one gateway will result in overloading the other gateway…

Timothy_Hall
Legend Legend
Legend

The SK you linked to state the limitations for ClusterXL Load Sharing, not the newer Active/Active.  I think you meant this:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

The notable limitations for Active/Active is lack of support for VSX, and the inability to do a Hide NAT behind the cluster/virtual IP because there isn't one in Active/Active mode.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Good catch...I think its same link I posted, but yea, thats 100% one for clusterXL active-active.

Cheers,

Andy

Timothy_Hall
Legend Legend
Legend

Yeah when teaching CCSE I constantly catch myself using the term "Active/Active" when I mean Load Sharing.  Doesn't help that Load Sharing was frequently referred to as Active/Active prior to R80.40.  🙄

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Its sort of how Americans pronounce tomato and how british people say it...sounds different, but its the same thing 😂

Matlu
Advisor

Hello,

Following this thread, please, in your experience, have a Cluster in Load Sharing mode 30/70%.
Do you know if it also gives you "headaches" with the use of the Identity Awareness blade?

I have network users, that can only be seen on the Cluster member that is with the highest load %, but cannot be seen on the other member.

It is really becoming a terrible headache.
I inherited this architecture configured that way.
I don't know the reason why.

Is it natural, this behavior?

Greetings.

Blason_R
Leader
Leader

Nice catch - Yes I mean load sharing has a few limitations which I always faced.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Digo11
Contributor

Hi @Timothy_Hall, The SK describes the active-active scenario for two different geographical areas which is not required in my case.  Your other recommendation "you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active)" seems to be the answer I was looking for.

But looking at the complexity and limitations of implementing it by playing with kernel parameters would be a difficult task I guess. Thanks for the quick suggestion I will discuss it with my team further.

 

Regards,

Digo.

the_rock
Legend
Legend

Based on all the links we gave you and what guys said, I would honestly stay away from it, not worth it.

Just my 2 cents...

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events