Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sumedh_Gujar
Participant

Behavior of HA cluster when SYN link is down

Hi,

I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. 

 

Thank you

Sumedh

 

 

11 Replies
HeikoAnkenbrand
Champion
Champion

Use a LACP bond interface in HA mode for your sync. This is the sulution to secure your sync interface.

More informations can you found here:

R80.30 cheat sheet - ClusterXL

Chris_Atkinson
Employee
Employee

Refer also sk133372 are you using JHF T343 or above?

(When you say sync is going down how is it normally connected to a switch or directly to the peer gateway.)

0 Kudos
Sumedh_Gujar
Participant

Hi,
We are using take 317. SK which you have shared is for stability issue, we dont have any stability issue. My concern is regarding the state of Active firewall which goes down when Sync link goes down.

Thank you
0 Kudos
Sumedh_Gujar
Participant

Thanks for your suggestion, we will check and try for LACP to avoid single link failure.
0 Kudos
Chris_Atkinson
Employee
Employee

Please review the details of the SK closer specifically regarding SYNC.
0 Kudos
JozkoMrkvicka
Leader
Leader

Or you can also set up 2nd sync link over lowest VLAN on any of interfaces.
In some cases, we temporary used External interface as Sync, although such a configuration is not recommended by Check Point.

Kind regards,
Jozko Mrkvicka
0 Kudos
Chris_Atkinson
Employee
Employee

sk92804 outlines why multiple sync interfaces aren't recommended (performance impact) and the preference for bonds.
Oliver_Fink
Collaborator

I just crosschecked what I memorized and I remembered it right. sk92804 says:

Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons: […]

 

Multiple sync interfaces are not just "not recommended" but "not supported". In my opinion this is a stricter statement.

0 Kudos
Sumedh_Gujar
Participant

Got the points in sk92804. We can follow the steps mentioned in that SK.  

0 Kudos
Alexander_Asta1
Explorer

Hi @Sumedh_Gujar,

 

Even that most of the comments are on how to prevent losing SYNC connection I want to step back you your original question.

If I can correctly the question is actually - will there be split-brain (active-active) situation if the sync link is down?

The answer is no. In contrast to other vendors, Checkpoint is using all cluster interfaces to monitor the member. This means that if the sync link is down, the FW will check if it still receive ccp packets from the other member through any of the cluster interfaces. You will probably loose connection table synchronization (if I am not wrong, connection sync will happen only via sync link, but heartbeat monitoring is via all cluster interfaces), but no split-brain scenario should occur. A failover will occur, because the active member will report interface down, the second member will become active ( attention) since it also has interface down.

 

 

 

Sumedh_Gujar
Participant

Hi @Alexander_Asta1,
Thanks for your explanation, this has helped me to clear my confusion.
0 Kudos