Solved: Checkpoint ClusterXL and Cisco ASA Failover cluste... - Check Point CheckMates

Discover the Future of Cyber Security:
What’s New in Check Point’s Quantum R82

Watch Now

Pick the Best of the Best of
CheckMates 2024!

Vote Now!

Share your Cyber Security Insights
On-Stage at CPX 2025

Learn More

Simplifying Zero Trust Security
with Infinity Identity!

Watch Now

Zero Trust Implementation
Help us with the Short-Term Roadmap

Take the Survey

CheckMates Go:
What's New in R82

LISTEN NOW

Hello!

I configured tunnel from my ASA to Checkpoint Cluster XL.

All work but I not shure about properly work BGP.

I configured some router id on each gateways on the cluster (VIP of the internal interfaces)

Some peer - My ASAs tunnel interface ip

And on active gateway i see:

TEST-CHPSG01> show cluster roles

ID Role

1 (local) Master
2 Non-Master

TEST-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

On second:

Oleg Volkov, [10.10.2024 12:57]
CUDD-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

Oleg Volkov, [10.10.2024 12:57]
TEST-CHPSG02> show cluster roles

ID Role

1 Master
2 (local) Non-Master

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

After I reload active gateway and check BGP session on standby:

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

Multiple times - Idle

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Active 0 0 00:00:00

Multiple times Active

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 1 00:00:00

And now established.

I have 3-5 sec (sometimes more) downtime when standby gateway become active

May be I configured it improperly?

Second question is the best way to configure dynamic routing beatwen ClusterXL and cisco/Huawei routers. OSPF/IS-IS/BGP?

What I must do? configure peering to each gateways or to VIP address?

If to each gateways how Cisco will know about which route is prefer (which gateway is active)?

Thank You!

1 Solution

Accepted Solutions

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

View solution in original post

4 Replies

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

Thank You!

Can You explain me how I can to switch active gateway without reooting?

And second question, which protocol do you recommend as IGP with checkpoint for minimal downtime?

Thank you!

I believe you can execute the command clusterXL_admin down to do this (clusterXL_admin up to reverse it).

The choice of an IGP depends on a number of factors.
From what I see on the community, OSPF is probably the most commonly used.

Make sure BGP port (tcp/179) is allowed in both directions. It should be allowed for VIP IPs.

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

User

Count

26

22

19

12

11

9

7

6

6

5

Upcoming Events

Sort by:

In-Person

Tue 03 Dec 2024 @ 10:00 AM (GMT)

UK Community CNAPP Training Day 1: Cloud Risk Management Workshop

Virtual

Tue 03 Dec 2024 @ 05:00 PM (CET)

Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint Solutions

Virtual

Tue 03 Dec 2024 @ 02:00 PM (CST)

Americas Deep Dive: What's New in R82

In-Person

Wed 04 Dec 2024 @ 10:00 AM (GMT)

UK Community CNAPP Training Day 2: Cloud Risk Management Workshop

Virtual

Thu 05 Dec 2024 @ 11:00 AM (SGT)

APAC Deep Dive: What's New in R82

Virtual

Thu 05 Dec 2024 @ 10:00 AM (CET)

Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEA

Virtual

Tue 03 Dec 2024 @ 05:00 PM (CET)

Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint Solutions

Virtual

Tue 03 Dec 2024 @ 02:00 PM (CST)

Americas Deep Dive: What's New in R82

Virtual

Thu 05 Dec 2024 @ 11:00 AM (SGT)

APAC Deep Dive: What's New in R82

Virtual

Thu 05 Dec 2024 @ 10:00 AM (CET)

Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEA

Virtual

Thu 05 Dec 2024 @ 10:00 AM (CET)

CheckMates Live BeLux: What’s new in R82

Virtual

Thu 05 Dec 2024 @ 05:00 PM (CET)

Impactful Intelligence: Introducing Check Point Infinity External Risk Management - AMER

In-Person

Tue 03 Dec 2024 @ 10:00 AM (GMT)

UK Community CNAPP Training Day 1: Cloud Risk Management Workshop

In-Person

Wed 04 Dec 2024 @ 10:00 AM (GMT)

UK Community CNAPP Training Day 2: Cloud Risk Management Workshop

CheckMates Events