it is single site dual MHO cluster and we want to failover if any interface(from bond1) from MHO1 goes down.

This would be a single bond all links active think vPC. 

we are using active/standby concept.  

Single site deployment looks like this: both MHO are active.

Thank you for reply. I have few more queries regarding the maestro architecture. 

Question 1: is maestro always work in Active/Active state in single site dual orchestrator with 3 security gateways connecte with
both the orchestrators and uplink switch is in VPC mode?

Question 2: Can we configure active /standby state in single site dual orchestrator with 3 security gateways connect with
both the orchestrators? if yes , can you please share the design and configuration?

Question 3: if we are using maestro Active/Active mode then how we can configure the interfaces in bond with active and backup state?
as depicted in diagram can we decide which 2 ports always be in active state in bond and backup interfaces will be active in
case of current active interface is down?

1.-Yes, both orchestrator should be connected on switches as regular uplink, they are a bond. 

2 & 3 -MHO are Active/Active, what you control is the bond. On the bond you can configure primary interface

---

@Dario_Perez wrote:

1.-Yes, both orchestrator should be connected on switches as regular uplink, they are a bond. 

2 & 3 -MHO are Active/Active, what you control is the bond. On the bond you can configure primary interface

---

if you have a regular cluster like this

then your deployment should be something like this

Thanks for your prompt reply.

2 & 3 -MHO are Active/Active, what you control is the bond. On the bond you can configure primary interface ( Can you please share the conf/commands to configure this on bond interface.

1.-Yes, both orchestrator should be connected on switches as regular uplink, they are a bond. 

if maestro in single site dual orchestrator is always active/active . it is a default behavior or we have to configure it ?

is it active/standby design ? i didn't find any configuration document or any details in checkpoint admin guide. do you have any document which we can use to configure the device ?

Maestro is all active/active solution, what you can define as Active/Standby on single site configuration is the bonding

in case you have eth1-05 in orch1 and eth2-05 in orch2 you can define on bond which one is active and other remain as Backup. 

Thank You. it means we can only achive this via bond active/backup mode option else all the ports will work in load balance mode. 

one more query.

While we are using Maestro Active/active orchestrator and we have 3 gateways connected with both the orchestrators on 10 G DAC cable ? what would be the bandwidth we will have on downlink ?Is it 60 GB or we will have only 30 GB downlink bandwidth?

Chris in your picture you have the 2 uplinks crossed to the 2 device in the top, we have a situation where the cross was not applied, when the switch in the top left went down, bond/layer2 (during a controlled upgrade procedure) a drop of traffic was encountered for about 20 seconds. Will this cross prevent this drop? My logic would say the MHO was unable to detect that the switch went down. The bond protocol is set to LACP.
So the main question would be: if in the crossed situation 1 link will fail will it also take 20 seconds before the Maestro will indentify the link as down?

@Maarten_Sjouw have a look at your settings of the lacp-rate on both ends of the bond. Maybe it's set to slow and this will result in a longer time to detect the failing link.

In the past we had the same problem with an outage of 30s if one of the MHOs goes down. This was a known problem and solved with one of the jumbo hotfixes (later R81.10 version 100, I can't remember the exact version.)

Thanks @Wolfgang,

Did some checking, LACP slow is set but that would take 3 x 30 seconds for the link failure to be detected, lacp fast take 3 x 1 second.

Your second guess would be much more to the point as we are running JHF 93 at the moment, so we need to see that we raise to the latest JHF as soon as possible.

Thanks again.

@Maarten_Sjouw some digging through our ITSM.... after installing R81.10 Jumbo take 110 no more traffic outage if one the MHOs was not available. All bonds are using LACP, lacp-rate fast and of course portfast enabled (but I think not relevant here..)

Not ruling out JHF fixes but also smells a little like spanning-tree - how are things like port-fast set here for the connections to Maestro?

Sorry Chris, but portfast is only relevant when the port is just connected/enabled, in this case both Orchestrators are in a working situation and one of the switches the first Orchestrator is connected to is taken down for an update of its software. As currently each Orchestrator is connected to only 1 switch the traffic should simply fail over to the other Orchestrator. 

We know that we should change the uplinks to utilize both switches but previous versions of the software did not allow the bond to be used over multiple switches in our configuration.

Noted - Thanks for clarifying when the interruption occurs.