- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Notice regarding clusterXL, failover and Cisco Mer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Notice regarding clusterXL, failover and Cisco Meraki...
Hi all,
Thought this could be good knowledge to publish as this will no doubt, if not already, resulted in many calls to TAC.
I was working on a cluster for a customer recently - upgrading hardware and software.
Failover between the firewalls were taking 5 minutes during a simulated and unplanned outage. All the usual CXL and failover troubleshooting was done. Check Point side, it was solid. No problems with state sync.
I decided to enable vMAC which brought the whole network to life. Failover instant with no packet loss at all.
vMAC is literally designed for reasons like this, but it looks like Meraki doesn’t ‘support’ G-ARP.
A Citrix ADC user fell into the same issue here.
I think it would be useful for Check Point to publish this in order to assist customer first hand as the issue on first glance looks like the Check Points themselves.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Useful tip, thanks for sharing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great tip. I mentioned this effect in my Max Power 2020 book and called it a "slow" failover, also mentioning the fact that some devices don't accept gratuitous ARPs because they track "state" for ARP and will reject an ARP Reply that they did not explicitly request. Generally leaving "Enable VMAC" UNchecked is recommended unless a slow failover is encountered, as the default Gratuitous ARP mechanism does the job on most networks; VMAC mode can cause additional issues in some cases if portfast is not set on the switchports the firewall is attached to.
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that’s exactly what I referred to when I was stood staring at the screen looking confused! I remembered something in your book and went to have a look.
I don’t ever use vMAC for any deployment but it’s a great remedy. Thanks Tim
