Create a Post
Showing results for 
Search instead for 
Did you mean: 

ClusterXL active-active vs active-passive

Hi CheckMates!

We are going to implement new CheckPoint clusters to replace the ageing Juniper firewalls. I was going to install 2 HA Active-Passive clusters, each with 2 IP addresses + VIP per WAN link but the ISP's design does not allow this.

ISP is suggesting the following:

- Site1 GW1 uses the Active Layer3 link with IP address a.a.a.x/31 for internet access

- Site1 GW2 uses the Active Layer3 link with IP address b.b.b.x/31 for connections between sites via IPSEC

- Site2 GW1 uses the Active Layer3 link with IP address c.c.c.x/31 for internet access

- Site2 GW2 uses the Active Layer3 link with IP address d.d.d.x/31 for connections between sites via IPSEC

(Apparently "on Juniper you can use a WAN link on the Active member, and another active WAN link on the Passive member")

If you ask me, this cannot be done in a CheckPoint Active-Passive setup. At a minimum I'll need an Active-Active load sharing cluster, but then I imagine I'll run into issues using different subnets on the WAN interfaces of each cluster member.

What is your opinion? Any suggestions?

Kind regards


5 Replies

Why do you need two IP addresses per cluster ? Using VIP you have one IP per ha cluster only...


Generally I would prefer Active/Passive mode in cluster environment. You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Memory.

Below are some drawbacks of active/active mode.

SecureXL does not support load balancing

SK42359 - SecureXL and Sticky decision function in ClusterXL Load Sharing Mode

SK65486 - Features not supported by Sticky Decision(SDF)

SK31680 - Load sharing mode with SDF

0 Kudos

good luck with that

0 Kudos

hi Phil

that's saying at least a little bit overcomplicated design, all you need is as Guenter suggested:

1 VIP IP per claster on each interface (with sync) and other interfaces as designed with physical x 2 and VIP on each

1 VIP on each WAN side towards CPE from the same subnet with /mask etc. - nothing really as complicated as you've described. I think this entire design is an attempt of migrating Juniper Netscreen devices to GAIA am I right ? Smiley Happy

make it simple and do follow mentioned SK's - all you need is the HA Active/Passive (Active/Active with LSM mode is not really very up2date architecture any longer - see Valeri posts from few weeks ago) - you don't need A/A LSM nor A/A - all what's needed is a proper "subnetting" and structure of vlans/subnets/interface's design - that's all.

For the sake of IPSec - don't pay attention to this, IPSec peers can be terminated on each Gateway VIP IP address and there is no need for anything to worry about - just valid routing table and off we go  

All the best



Hi All,

Thanks for your replies - great to see Checkmates in action and helping me out. I'll try to return the favour later!



- The guys at the ISP are used to working with Juniper

- In my first meeting with them, first thing I said was: I'm going to need 3 IPs per link, because I want to work with HA clustering & VIP.

Thank you for confirming that I was on the right track!

Best regards,



Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events