This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sumedh_Gujar
Participant
‎2019-07-11 07:04 AM

Behavior of HA cluster when SYN link is down

Hi,

I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. 

 

Thank you

Sumedh

 

 

11 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-07-11 12:18 PM

Use a LACP bond interface in HA mode for your sync. This is the sulution to secure your sync interface.

More informations can you found here:

R80.30 cheat sheet - ClusterXL

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-12 04:30 AM
In response to HeikoAnkenbrand

Refer also sk133372 are you using JHF T343 or above?

(When you say sync is going down how is it normally connected to a switch or directly to the peer gateway.)

CCSM R77/R80/ELITE
0 Kudos
Sumedh_Gujar
Participant
‎2019-07-12 05:22 AM
In response to Chris_Atkinson

Hi,
We are using take 317. SK which you have shared is for stability issue, we dont have any stability issue. My concern is regarding the state of Active firewall which goes down when Sync link goes down.

Thank you
0 Kudos
Sumedh_Gujar
Participant
‎2019-07-12 04:46 AM
In response to HeikoAnkenbrand

Thanks for your suggestion, we will check and try for LACP to avoid single link failure.
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-13 03:53 AM
In response to Sumedh_Gujar

Please review the details of the SK closer specifically regarding SYNC.
CCSM R77/R80/ELITE
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-07-13 04:30 AM
In response to Chris_Atkinson

Or you can also set up 2nd sync link over lowest VLAN on any of interfaces.
In some cases, we temporary used External interface as Sync, although such a configuration is not recommended by Check Point.

Kind regards,
Jozko Mrkvicka
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-13 04:48 AM
In response to JozkoMrkvicka

sk92804 outlines why multiple sync interfaces aren't recommended (performance impact) and the preference for bonds.
CCSM R77/R80/ELITE
Oliver_Fink
Advisor
Advisor
‎2019-07-15 06:39 AM
In response to Chris_Atkinson

I just crosschecked what I memorized and I remembered it right. sk92804 says:

Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons: […]

 

Multiple sync interfaces are not just "not recommended" but "not supported". In my opinion this is a stricter statement.

0 Kudos
Sumedh_Gujar
Participant
‎2019-07-16 02:53 AM
In response to Oliver_Fink

Got the points in sk92804. We can follow the steps mentioned in that SK.  

0 Kudos
Alexander_Asta1
Explorer
‎2019-07-22 02:42 AM

Hi @Sumedh_Gujar,

 

Even that most of the comments are on how to prevent losing SYNC connection I want to step back you your original question.

If I can correctly the question is actually - will there be split-brain (active-active) situation if the sync link is down?

The answer is no. In contrast to other vendors, Checkpoint is using all cluster interfaces to monitor the member. This means that if the sync link is down, the FW will check if it still receive ccp packets from the other member through any of the cluster interfaces. You will probably loose connection table synchronization (if I am not wrong, connection sync will happen only via sync link, but heartbeat monitoring is via all cluster interfaces), but no split-brain scenario should occur. A failover will occur, because the active member will report interface down, the second member will become active ( attention) since it also has interface down.

 

 

 

Sumedh_Gujar
Participant
‎2019-07-23 02:47 AM
In response to Alexander_Asta1

Hi @Alexander_Asta1,
Thanks for your explanation, this has helped me to clear my confusion.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events