This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2025-11-13 05:10 AM
Jump to solution

ClusterXL

Hi,

I have two gateways configured in a ClusterXL High Availability (HA) setup.
However, when I run the cphaprob -a if command, I notice that two interfaces (bond0.8 & bond0.2053) are showing as LS (Load Sharing) mode, and I’m not sure why.

I’ve checked the SmartConsole GUI but couldn’t find any option to change these interfaces from LS to HA mode.

there is no reason to have them in LS because they run very little traffic!

Could you please advise how to correct this?

 cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 4
Required secured interfaces: 1


Interface Name:      Status:

Sync (S)             UP
Mgmt                 Non-Monitored
eth1-01              UP
bond0.8 (LS)         UP
bond0.2053 (LS)      UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 21

eth1-01          
bond0.5         
bond0.50         
bond0.8          
bond0.25        
bond0.49        
bond0.10        
bond0.47        
bond0.50        
bond0.27        
bond0.55        
bond0.90        
bond0.2053      
bond0.41       
bond0.70       
bond0.56      
bond0.27       
bond0.53      
bond0.940        
vpnt10          
vpnt11

 

So I’m wondering when and why these interfaces were configured to operate in Load Sharing (LS) mode, and how I can reconfigure them back to High Availability (HA) mode.

 show cluster state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-13 05:22 AM
Jump to solution

LS would be default (normal) for LACP / 802.3AD bonds I expect.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Topics-...

CCSM R77/R80/ELITE

View solution in original post

13 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-13 05:22 AM
Jump to solution

LS would be default (normal) for LACP / 802.3AD bonds I expect.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Topics-...

CCSM R77/R80/ELITE
Moudar
MVP Silver
MVP Silver
‎2025-11-13 05:40 AM
In response to Chris_Atkinson
Jump to solution

but all other vlan interfaces are in the same bond interface which is bond0, so why only interface bond0.8 and bond0.2053 are LS?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:45 AM
In response to Moudar
Jump to solution

Can you send a screenshot?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2025-11-13 05:50 AM
In response to the_rock
Jump to solution

you can see all interfaces belongs to same bond?!

bond0.5         
bond0.50         
bond0.8          
bond0.25        
bond0.49        
bond0.10        
bond0.47        
bond0.50        
bond0.27        
bond0.55        
bond0.90        
bond0.2053      
bond0.41       
bond0.70       
bond0.56      
bond0.27       
bond0.53      
bond0.940

i had other gateway here my bad

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-13 05:47 AM
In response to Moudar
Jump to solution

Because only the highest & lowest VLANs are relevant to that part of the output as monitored by ClusterXL.

If anything is odd it's why bond0.5 doesn't show there.

CCSM R77/R80/ELITE
Moudar
MVP Silver
MVP Silver
‎2025-11-13 05:52 AM
In response to Chris_Atkinson
Jump to solution

so maybe it is vlan 5 i should investigate 

the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:50 AM
In response to Moudar
Jump to solution

I totally remember now the case I had with TAC while back about this. Below sk is what they gave me.

https://support.checkpoint.com/results/sk/sk92826

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:31 AM
Jump to solution

Hey brother,

I see what Chris mentioned, makes total sense, it would indicate type of bond, as per output as well. here is output from my lab


[Expert@CP-FW-01:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 4
Required secured interfaces: 1


Interface Name: Status:

eth0 (LM) UP
eth1 (LM) UP
eth2 (LM) UP
eth3 (S-LM) UP

S - sync, HA/LS - bond type, LM - link monitor, P - probing

Virtual cluster interfaces: 3

eth0 172.16.10.246
eth1 192.168.10.246
eth2 172.31.10.246

[Expert@CP-FW-01:0]#

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:33 AM
Jump to solution

Im sure if you change below option, it would show way you want it.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-13 05:37 AM
In response to the_rock
Jump to solution

Don't change this without considering the switch side configs unless you want to break it.

802.3AD is the defacto standard for bonds.

CCSM R77/R80/ELITE
(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:41 AM
In response to Chris_Atkinson
Jump to solution

Yep, forgot to mention that, super important!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2025-11-13 05:51 AM
In response to Chris_Atkinson
Jump to solution

So i am not going to change any.
i only wonder why only 2 interfaces are LS

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-13 05:52 AM
In response to Moudar
Jump to solution

Hey brother, please refer to the sk I sent, it would be 100% relevant here, as Chris indicated.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events