cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

There is a good deal of posts on the difference between VRRP and CXL in this community but they are contrasting one against the other.

I stumbled over the question of the interaction between the two: The question arose …

  • whether or not to tick the ClusterXL check box for VRRP deployment and …
  • what benefit/change it would have/bring and …
  • what use cases would make you choose one over the other.

Initially I was suspicious whether VRRP without CXL would potentially not do session sync but testing this revealed that CCP packets are going across the sync link which seem to transfer the traffic tables between cluster members.

With regards to how to configure this there seems to be contradicting information in various resources:

The following make a point for enabling the CXL tickbox:

  1. The fact that the menu changes from “3rd party configuration” to “ClusterXL and VRRP” indicating there is a use case for enabling both at the same time:
    Albert_Wilkes_0-1581604065676.png

     

     changes to
    Albert_Wilkes_1-1581604065681.png

     




  2. SK on “How to configure VRRP on Gaia”: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Albert_Wilkes_2-1581604065684.jpeg

 

 

The following make a point against enabling the CXL tickbox:

3. R77.30 ClusterXL Guide:

Albert_Wilkes_3-1581604065694.jpeg

4. and similarly R80.30 ClusterXL Guide, p73:

Albert_Wilkes_4-1581604065700.jpeg

5. If session sync already happens without CXL what's the point of enabling the tickbox for CXL. As per the above screenshot only ENABLING the ClusterXL tickbox will give you the option to DISABLE state sync ... which is the opposite of what I expected. But I guess this is another reason that fuels my naive view that it looks as if there would not be any noteworthy additional functionality that the CXL checkbox unlocks.

Any ideas?

 

0 Kudos
12 Replies

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

I understand some confusion. Here is the deal:

When you choose VRRP for clustering, VRRP itself is responsible for Virtual cluster IPs and probing, and ClusterXL is used for sync. The former is happening on OS level, the latter is on FW level.

To install VRRP cluster, as the documentation clearly states, do not mark ClusterXL checkbox in the first time wizard process. You will have to configure VRRP settings through WebUI or Clish later on, follow OS admin manual for that.

On the cluster object, configure 3rd party and VRRP, as in your screenshot. ClusterXL CCP will only be used on FW level for sync, and it will not be active on OS level, relying on VRRP for virtual IPs and network probing.

 

Hope this help,

Val

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

Hi Val,

thanks for the quick response but it doesn't answer my question yet. I fully agree with your approach w.r.t. the first time wizard, but I meant to enquire about the setup in SmartConsole and only after the FTW has completed and whether or not to tick the ClusterXL tickbox and what difference it makes:

image.pngimage.png

You can configure VRRP as the clustering protocol either way, with or without ClusterXL tickbox enabled.

Thanks

Albert

 
 
 
 
 
 
 
 

 

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

I fail to understand what you are asking.

If you set up VRRP, you should use VRRP for clustering in SmartConsole, exactly as it is shown in your screenshots. There is nothing else to do. You only set up your cluster to ClusterXL if you set it up as such through FTW on each of the GWs.

 

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

... yet the SK (see the screenshot from my first post) explicitly states that you have to enable the ClusterXL tickbox when using VRRP wheras you seem to indicate you shouldn't choose ClusterXL anywhere unless I am misunderstanding you?

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

I think the difference is in the OS used.

If you are using some old systems with IPSO or XOS (Crossbeam), than 3rd Party Clustering (ClusterXL disabled) will be correct.

But if you are using Gaia with VRRP, you should enable it as stated in the documentation.

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

Hi Norbert, thanks for chiming in:

I would have intuitively agreed with you and @Val_Loukine Val who also suggests that CXL is adding functionality for session sync, but session sync works even after I removed the CXL from the GW properties, I'll explain more in my post to Val below, as it matches both your and Val's statements. I would also fully see why an unusual OS choice could impact the choice of whether or not to tick CXL.

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

hmm, you've indeed pointed me to somthing I didn't see before and maybe the clue is indeed in the OS: when CXL tickbox is DISABLED, it specifically says Check Point IPSO VRRP. This clouds everything for me even more...

  • Not sure if you agree but shouldn't this trigger a verification warning when your (as per the "IPSO" label) OS-specific clustering mechanism doesn't match the selected OS (which is Gaia)?
  • The policy installation worked and VRRP seemed to work fine - what's the IPSO-specific part of it at all?

These questions are not meant to criticise your post, quite the opposite. They are meant as a challenge for the community as I really can't get my head around whether this is just highly unintuitve and results in identical behaviour, or whether one is a "bad" or at least "functionally different" configuration that CP just doesn't alert you to, even if incompatible to your device.

 

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

Uh, finally got the source of confusion.

 

Screenshot 2020-02-14 at 10.04.56.png

That is the step you are asking about, right?

So, for sync to work, you need to enable ClusterXL kernel module of your FW. It is being done for a cluster object at the General Properties tab.

As I have mentioned before ClusterXL is still required for FW, but not for OS to form a cluster with VRRP.

Personally, I do not see any reason other than habit, to use VRRP and not full ClusterXL solution. But the final decision is up to you.

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

Yep, that ClusterXL exactly the tickbox that changes the menu and both with and without having it ticked your failover mechanism can be VRRP. Now the question for me is whether the CXL tickbox choice will make any functional difference at all.

As stated in my initial post:

Initially I was suspicious whether VRRP without CXL would potentially not do session sync but testing this revealed that CCP packets are going across the sync link which seem to transfer the traffic tables between cluster members.

To explain the background of this whole post better, it's based on my customer's (I work at a reseller) question who used to have his old VRRP cluster with CXL ticked and now found that the cluster was migrated to a different CP object that had CXL unticked, so he asked me about which one is correct and whether there is any difference in functionality. There is no current issue, just headscratching on all sides.

So I did the following:

  1. created my R80.40 lab cluster as VRRP, played around somewhat
  2. then ticked CXL (but left the clustering mechanism as VRRP in the pane labled "ClusterXL and VRRP")
  3. disabled the CXL tickbox again,
  4. pushed policy

...only to find out that session sync STILL worked to my surprise (as verified with fw tab -t connections -u -f). I rebooted but it didn't change, session sync and the typical 8116/udp CCP packets were still happening on the sync link. Maybe I tainted my cluster by enabling CXL and disabling doesn't really work? If you agree that this is the only explanation why CCP packets are on the sync link even after disabling CXL, I'll be testing this again in 10days after some days off again with a fresh cluster that NEVER had CXL enabled (i.e. "3rd party configuration") to see whether it will already sync sessions, contrary to what I think is everybody's expectations unless there is any other suggestions.

 

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

I admire your curiosity. 

I suspect the checkbox in question is related to some legacy settings. Once upon a time, we have supported many different platforms and OSs, and things on Gaia might be more fool-proof than on third party. Anyhow, please stick to the book to be on the safe side. 

0 Kudos
Highlighted

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

0 Kudos

Re: interaction between VRRP and CXL - why is there a tickbox for ClusterXL when the cluster is VRRP

Hi there, these limitations are worthwhile knowing about, but is there anything specific that applies to this post's topic? Sorry, I might just be blind 🙂
0 Kudos