This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarm_Chanatip
Collaborator
‎2019-07-19 01:49 AM

When will checkpoint support the Load Sharing mode in either R80.20 and R80.30?

Jump to solution

Dear Check Point Team,

 

Regarding the known issue with ClusterXL R80.20 and above does not support Load Sharing mode. Therefore, SmartConsole blocks such a configuration with a warning message.

 

I would like to know when it will be fixed and become to support like an R80.10.

 

Regards,

Sarm

0 Kudos
3 Solutions

Accepted Solutions
Dorit_Dor
Employee
Employee
‎2019-07-19 07:33 AM
In response to HeikoAnkenbrand

Jump to solution

In r80.20 /.30 we introduced new limitation on load sharing with VPN (Due to maestro code main train unification, we took the maestro side and broken the main train side. Since the usage is low, it was the best tradeoff among the alternatives).

Due to the type of limitation, we decided to block the whole feature temporarily till we will make it clearer (so user can understand what is working). We are now in the process of enabling the large part of load sharing that does work, on r80.30. If you need this more urgently, contact our solution center to get assistance till we complete the publication of it (as its artificially blocked). 

Load sharing with vpn is still blocked (this requires development) and we will bring it back but in future release (most cases i saw that did use load sharing, didnt need the vpn aspect so the above should cover the vast majority). 

Dorit

View solution in original post

Dorit_Dor
Employee
Employee
‎2019-12-05 08:43 AM
In response to An_Nguyen

Jump to solution

Scroll up in this checkmates post and see response from the R&D leader from October. The solution is available already part of GA jumbo's and you can read all about it in sk162637

Version  Take 
 R80.20  Jumbo HF take 117 and above
 R80.30 kernel 2.6.18/3.10  Jumbo HF take 76 and above

 

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-19 06:58 PM

Jump to solution

As for support for Load Sharing + VPN, it is available in a customer release for R80.40.
Please engage your local Check Point office to obtain this release.
It's planned to include this functionality in a future release (after R81).

View solution in original post

0 Kudos
17 Replies
HeikoAnkenbrand
Champion
Champion
‎2019-07-19 06:17 AM

Jump to solution

It's been discussed here.

 I once copied a passage from @PhoneBoy answer:

CUT>>>

Load Sharing has a few limitations, see:

The amount of sync traffic required for ClusterXL Load Sharing significantly limits its scalability, particularly as you get into 3 and 4 node clusters.

It also reduces overall cluster resiliency in the case where one member fails, particularly if you are utilizing the load sharing cluster at or near capacity.

Given the above, I usually advocate for buying right-sized appliances for an HA configuration versus buying smaller appliances using load sharing.

And, in fact, this is what the vast majority of our customers do.

Maestro solves a lot of these limitations and improves scalability dramatically over ClusterXL Load Sharing.

<<<CUT

I also think Maestro is the future technology.

0 Kudos
Dorit_Dor
Employee
Employee
‎2019-07-19 07:33 AM
In response to HeikoAnkenbrand

Jump to solution

In r80.20 /.30 we introduced new limitation on load sharing with VPN (Due to maestro code main train unification, we took the maestro side and broken the main train side. Since the usage is low, it was the best tradeoff among the alternatives).

Due to the type of limitation, we decided to block the whole feature temporarily till we will make it clearer (so user can understand what is working). We are now in the process of enabling the large part of load sharing that does work, on r80.30. If you need this more urgently, contact our solution center to get assistance till we complete the publication of it (as its artificially blocked). 

Load sharing with vpn is still blocked (this requires development) and we will bring it back but in future release (most cases i saw that did use load sharing, didnt need the vpn aspect so the above should cover the vast majority). 

Dorit

Sarm_Chanatip
Collaborator
‎2019-07-22 09:51 PM
In response to Dorit_Dor

Jump to solution
Hi @Dorti,

You mean the Load sharing with vpn is still blocking or as whole Load sharing configuration.

Thank you in advance.
0 Kudos
Dorit_Dor
Employee
Employee
‎2019-07-22 10:02 PM
In response to Sarm_Chanatip

Jump to solution

today: all load sharing is blocked except maestro

working to certify: enabling load sharing without vpn on R80.30 (can be done now if urgent contact us)

later after more development: load sharing with vpn 

Sarm_Chanatip
Collaborator
‎2019-07-22 10:08 PM
In response to Dorit_Dor

Jump to solution

Hi Dorit,

Thank you for clarification.

However, can you estimate the time that the Load Sharing mode will be back in R80.20 and R80.30?

As I know if the customer wants to use this functionality they need to implement with R80.10, right?

0 Kudos
Dorit_Dor
Employee
Employee
‎2019-07-22 10:27 PM
In response to Sarm_Chanatip

Jump to solution

I am quite implicit above: if you need non-vpn load sharing, you can get it now over r80.30 if you can contact us or wait to get it published publicly 

If you need vpn load sharing, we still need to develop so it will be on later release

If you are not clear, i recommend you will work w our local sales to further understand 

 

Sarm_Chanatip
Collaborator
‎2019-07-22 10:56 PM
In response to Dorit_Dor

Jump to solution

Hi Dorit,

I got it now. Thanks for clarification again.

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-07-22 09:46 PM
In response to HeikoAnkenbrand

Jump to solution
@Heiko

I link to the hyperlink you provided "It's been discussed here"
And found some comment from PhoneBoy, he said that checkpoint plan to bring it back later this year. Not sure if this true!
0 Kudos
Guy_Elyashiv
Employee
Employee
‎2019-10-07 08:17 AM

Jump to solution

Hi,

Please refer to sk162637 regarding the support of ClusterXL Load Sharing mode in R80.20 and above.


Regards,

Guy Elyashiv | Group Manager – Clustering & Multitenancy
0 Kudos
Timothy_Hall
Champion
Champion
‎2019-10-07 03:24 PM
In response to Guy_Elyashiv

Jump to solution

Thanks for the new and informative SK, is there some reason that the lifting of the ClusterXL Load Sharing restriction is not shown in the "list of resolved issues" for the R80.20 and R80.30 Jumbo HFA takes?

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Dorit_Dor
Employee
Employee
‎2019-10-07 03:39 PM
In response to Timothy_Hall

Jump to solution

Technically, load sharing vpn is still limited, ... so in order to avoid mistakes and the ui is technically still blocked (unless you open it).

Therefore you need to read the sk to open the ui and the release notes direct you to the sk 

 

An_Nguyen
Participant
‎2019-12-05 08:33 AM
In response to Dorit_Dor

Jump to solution

We have been waiting for a supported release that works with Cluster Load Sharing. 

This is a major reason while we are evaluating other Firewall Solutions. I have been told many times by support that load sharing is not a recommended solution.

0 Kudos
Dorit_Dor
Employee
Employee
‎2019-12-05 08:43 AM
In response to An_Nguyen

Jump to solution

Scroll up in this checkmates post and see response from the R&D leader from October. The solution is available already part of GA jumbo's and you can read all about it in sk162637

Version  Take 
 R80.20  Jumbo HF take 117 and above
 R80.30 kernel 2.6.18/3.10  Jumbo HF take 76 and above

 

0 Kudos
An_Nguyen
Participant
‎2019-12-05 11:04 AM
In response to Dorit_Dor

Jump to solution

It still doesn't solve the problem because it supports ClusterXL Load Sharing WITHOUT Ipsec VPN.

0 Kudos
Dorit_Dor
Employee
Employee
‎2019-12-05 11:39 AM
In response to An_Nguyen

Jump to solution

Indeed 

(1) Very small percentage used VPN w load sharing which is why we allowed this limitation in the first place 

(2) This part (the VPN w load sharing) required more complicated resolution vs the Maestro / scalable platform VPN. Therefore we gave priority to integrating the high end into the maintrain at the cost of not supporting load sharing w VPN in the short term

(3) We have a function called solution center that helps us resolve such missing pieces when they impact the business, by driving formal commitment to complete certain functionality by a certain date (they will deliver a formal commitment). Please leverage your local sales team or contact @PhoneBoy off line to get assistance 

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2020-10-19 03:33 AM
In response to An_Nguyen

Jump to solution

As mentionend before, you currently can use either VSX VSLS or Maestro to overcome this limitation !

CCSE CCTE SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-19 06:58 PM

Jump to solution

As for support for Load Sharing + VPN, it is available in a customer release for R80.40.
Please engage your local Check Point office to obtain this release.
It's planned to include this functionality in a future release (after R81).

0 Kudos
Labels