This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Manoj_Tiwari
Explorer
‎2018-07-25 08:51 AM

ISP Redundancy (load sharing) issue in R80.10

Recently I have setup the checkpoint firewall 5400 series Gaia R80.10 in cluster environment. Where I have to configure the ISP redundancy in load sharing mode. But after it goes on live, we have faced the high CPU utilization issue, some traffic has been dropped without hitting in policy, first packet isn't sync packet  etc issues.

I have configured the ISP redundancy with reference of R77.30 but I don't even find the any guide and documentation for the ISP redundancy in R80.10.

My question is:

-does anybody implemented the ISP redundancy in R80.10?

-If checkpoint doesn't provide any documentation for that, is it supported or not in R80.10?

Thanks,

Manoj

21 Replies
PhoneBoy
Admin
Admin
‎2018-07-25 09:28 AM

The steps for configuring ISP Redundancy haven't changed in many versions, and yes it's supported in R80.10.

If you want to verify you've configured it right for R80.10, refer to the ClusterXL Admin Guide: ClusterXL R80.10 (Part of Check Point Infinity) Administration Guide 

That said if you're experiencing High CPU, you might want to engage with the TAC. 

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-07-25 10:13 AM
In response to PhoneBoy

The high CPU being experienced is almost certainly related to the fact that all traffic on the firewall will go F2F (i.e. no acceleration) when ISP Redundancy is configured in Load Sharing mode.  

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Ankur_Datta
Collaborator
‎2018-10-15 04:05 AM
In response to Timothy_Hall

Hi Tim,

In R80.20 also we will see same behavior?

ISP redundancy configured in load sharing, all traffic takes F2F path and not accelerate the packet. we have firewall and VPN blade and most of the traffic is for VPN.

Thanks. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-15 04:21 AM
In response to Ankur_Datta

There were some pretty significant changes to the architecture of SecureXL in R80.20.

I don't know if they are enough to overcome this specific limitation.

Shahar_Grober
Advisor
‎2018-10-31 02:53 AM

In my opinions, features which disable acceleration should be eliminated by Check Point. It is not possible to work today without SecureXL. sending traffic to F2F path due to limitations in specific feature is like going 10 years back. 

I tried to use ISP Redundancy in load sharing and had to turn it off after a while due to:

1. It is not working with PBR or even simple NAT rules, which means that there is no way to control which traffic will go through which link (Please don't point me to SK's or TAC, I tried both)

2. The performance was too high 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-31 02:59 AM
In response to Shahar_Grober

We are definitely working to reduce the situations where packets go F2F.

Curious, did you try it in R80.20?

0 Kudos
Shahar_Grober
Advisor
‎2018-10-31 03:09 AM
In response to PhoneBoy

Are there any changes to ISP redundancy behavior in R80.20?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-31 03:32 AM
In response to Shahar_Grober

There are some significant changes to SecureXL in R80.20.

This could impact ISP Redundancy positively.

Shahar_Grober
Advisor
‎2018-10-31 03:51 AM

Thanks for the tip Deamon,

As I pointed out, ISP redundancy in load sharing disables SecureXL.

Is there a way to know what are the changes in SecureXL in R80.20 (there is nothing about it in sk122485)? 

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-10-31 05:06 AM
In response to Shahar_Grober

SecureXL has been radically improved in R80.20 to support the Falcon cards, easily the biggest change to SecureXL since CoreXL was introduced in R70.   I've been a bit quiet on this topic even after my trip to Israel, mainly because I'm still making sure I have everything straight in my head about how it works now before spouting off.  As you noted the documentation for SecureXL in R80.20 is still bit sparse; the Acceleration team is probably focused on getting the Falcon accelerator card into GA rather then writing documentation, at least for the moment.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Shahar_Grober
Advisor
‎2018-10-31 01:44 PM
In response to Timothy_Hall

Thanks for the information Tim,

I would like to hear and learn more about the newly expected acceleration cards and understand how they improve performance. I am in doubt that they can solve the ISP redundancy and acceleration issue but let's see. 

Please don't underestimate in documenting feature, a good documentation, "how to?'s", training and sometimes marketing can make the difference between a good and great feature/product. 

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2018-10-31 11:38 PM

I wonder why is this limitation? How is LS different from HA from SecureXL point of view (other than the default route is already known in advance)? As far as I know outgoing connections are sticky to an ISP link so in a way it is the same as HA. 

0 Kudos
Shahar_Grober
Advisor
‎2018-11-01 01:27 AM

Good Question Hristo,

Dameon Welch-Abernathy‌ can you point this question to R&D?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-01 03:10 AM

Will ask if R80.20 makes a difference here (which is the real question) Smiley Happy

e78f45f8-026e-3
Employee
Employee
‎2018-11-05 05:06 AM

when you work with ISPR LS mode , the connection is not accelerated , this is  a limitation in all versions .

this is probably the reason you get the high cpu .

in case you use ISPR in HA mode the connection will be accelerated ,

PhoneBoy
Admin
Admin
‎2018-11-05 06:26 AM
In response to e78f45f8-026e-3

Checked with my sources in R&D, this is still a limitation in R80.20 as well.

Shahar_Grober
Advisor
‎2018-11-05 12:03 PM
In response to PhoneBoy

Thanks for checking this Dameon. I think that we all agree that features which disable acceleration (F2F) are almost impossible to use in production environments.

About R80.20, I am very curious about the acceleration improvements and the new Falcon cards. I would like to get more information about it in the community. Are the cards targeted to release at CPX?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-05 06:10 PM
In response to Shahar_Grober

Much of SecureXL was moved into userspace, which will allow better scalability on larger machines.

Can't say for sure when the cards will release, but we have an EA program for them which you are welcome to participate in Smiley Happy

0 Kudos
RS_Daniel
Advisor
‎2019-09-20 09:29 AM
In response to PhoneBoy

Hi,
Do you know if this issue is still present in R80.30? or does checkpoint has a roadmap to solve this in the future? Thanks in advance
PhoneBoy
Admin
Admin
‎2019-09-20 10:38 AM
In response to RS_Daniel

This is still a limitation.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2018-11-05 07:40 PM
In response to Shahar_Grober

Couldn't agree more. Using more than one ISP in most cases make it mandatory to use SecureXL. I really hope CP overcomes technical difficulties and implement this. 

0 Kudos
Labels