Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JackPrendergast
Advisor
Advisor

Notice regarding clusterXL, failover and Cisco Meraki...

Hi all,

Thought this could be good knowledge to publish as this will no doubt, if not already, resulted in many calls to TAC.

I was working on a cluster for a customer recently - upgrading hardware and software.

Failover between the firewalls were taking 5 minutes during a simulated and unplanned outage. All the usual CXL and failover troubleshooting was done. Check Point side, it was solid. No problems with state sync.

I decided to enable vMAC which brought the whole network to life. Failover instant with no packet loss at all. 

vMAC is literally designed for reasons like this, but it looks like Meraki doesn’t ‘support’ G-ARP.

A Citrix ADC user fell into the same issue here.

https://community.meraki.com/t5/Switching/Meraki-MS-switching-and-Gratuitous-ARP-with-Citrix-ADC-Net...

I think it would be useful for Check Point to publish this in order to assist customer first hand as the issue on first glance looks like the Check Points themselves.

(1)
3 Replies
PhoneBoy
Admin
Admin

Useful tip, thanks for sharing.

Timothy_Hall
Legend Legend
Legend

Great tip.  I mentioned this effect in my Max Power 2020 book and called it a "slow" failover, also mentioning the fact that some devices don't accept gratuitous ARPs because they track "state" for ARP and will reject an ARP Reply that they did not explicitly request.  Generally leaving "Enable VMAC" UNchecked is recommended unless a slow failover is encountered, as the default Gratuitous ARP mechanism does the job on most networks; VMAC mode can cause additional issues in some cases if portfast is not set on the switchports the firewall is attached to.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
JackPrendergast
Advisor
Advisor

Well, that’s exactly what I referred to when I was stood staring at the screen looking confused! I remembered something in your book and went to have a look.

I don’t ever use vMAC for any deployment but it’s a great remedy. Thanks Tim

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events