Solved: Re: Checkpoint ClusterXL and Cisco ASA Failover cl... - Check Point CheckMates

Boosting Performance & Stability
with Harmony Endpoint E88.70!

Register Now

It's Here!
CPX 2025 Content

Get It Now

Zero Trust: Remote Access and Posture
Help us with the Short-Term Roadmap

Take the Survey

The Future of Browser Security:
AI, Data Leaks & How to Stay Protected!

Watch now

CheckMates Go:
Recently on CheckMates

LISTEN NOW

Hello!

I configured tunnel from my ASA to Checkpoint Cluster XL.

All work but I not shure about properly work BGP.

I configured some router id on each gateways on the cluster (VIP of the internal interfaces)

Some peer - My ASAs tunnel interface ip

And on active gateway i see:

TEST-CHPSG01> show cluster roles

ID Role

1 (local) Master
2 Non-Master

TEST-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

On second:

Oleg Volkov, [10.10.2024 12:57]
CUDD-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

Oleg Volkov, [10.10.2024 12:57]
TEST-CHPSG02> show cluster roles

ID Role

1 Master
2 (local) Non-Master

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

After I reload active gateway and check BGP session on standby:

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

Multiple times - Idle

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Active 0 0 00:00:00

Multiple times Active

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 1 00:00:00

And now established.

I have 3-5 sec (sometimes more) downtime when standby gateway become active

May be I configured it improperly?

Second question is the best way to configure dynamic routing beatwen ClusterXL and cisco/Huawei routers. OSPF/IS-IS/BGP?

What I must do? configure peering to each gateways or to VIP address?

If to each gateways how Cisco will know about which route is prefer (which gateway is active)?

Thank You!

1 Solution

Accepted Solutions

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

View solution in original post

4 Replies

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

Thank You!

Can You explain me how I can to switch active gateway without reooting?

And second question, which protocol do you recommend as IGP with checkpoint for minimal downtime?

Thank you!

I believe you can execute the command clusterXL_admin down to do this (clusterXL_admin up to reverse it).

The choice of an IGP depends on a number of factors.
From what I see on the community, OSPF is probably the most commonly used.

Make sure BGP port (tcp/179) is allowed in both directions. It should be allowed for VIP IPs.

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

User

Count

21

9

8

8

5

5

5

4

4

3

Upcoming Events

Sort by:

Virtual

Tue 01 Apr 2025 @ 11:00 AM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - EMEA

Virtual

Tue 01 Apr 2025 @ 06:00 PM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - Americas

Virtual

Wed 02 Apr 2025 @ 03:00 PM (CEST)

The Power of SASE: Smarter Security, Stronger Network - EMEA

Virtual

Wed 02 Apr 2025 @ 02:00 PM (EDT)

The Power of SASE: Smarter Security, Stronger Network - Americas

Virtual

Thu 03 Apr 2025 @ 10:00 AM (CEST)

CheckMates Live BeLux: Cloudguard WAF

Virtual

Thu 03 Apr 2025 @ 01:00 PM (CEST)

Meet the Experts: Transforming Security Operations with Impactful Intelligence!

Virtual

Tue 01 Apr 2025 @ 11:00 AM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - EMEA

Virtual

Tue 01 Apr 2025 @ 06:00 PM (IDT)

Simplifying Zero Trust with Infinity Identity: Centralized, Scalable, Secure - Americas

Virtual

Wed 02 Apr 2025 @ 03:00 PM (CEST)

The Power of SASE: Smarter Security, Stronger Network - EMEA

Virtual

Wed 02 Apr 2025 @ 02:00 PM (EDT)

The Power of SASE: Smarter Security, Stronger Network - Americas

Virtual

Thu 03 Apr 2025 @ 10:00 AM (CEST)

CheckMates Live BeLux: Cloudguard WAF

Virtual

Thu 03 Apr 2025 @ 01:00 PM (CEST)

Meet the Experts: Transforming Security Operations with Impactful Intelligence!

In-Person

Tue 08 Apr 2025 @ 12:00 PM (MDT)

Denver: CPX 2025 Recap

In-Person

Thu 10 Apr 2025 @ 10:00 AM (EEST)

CheckMates Live Sofia - Maintenance and Upgrade Best Practices

In-Person

Thu 10 Apr 2025 @ 12:00 PM (PDT)

Renton, WA: Golf and Learn!

In-Person

Wed 16 Apr 2025 @ 12:00 PM (PDT)

Hillsboro, OR: Golf and Learn!

In-Person

Tue 06 May 2025 @ 09:00 AM (EEST)

CheckMates Live Cyprus - Performance Optimization Best Practices

CheckMates Events