Traffic outage after a fail-over between Virtual Systems in VSLS Bridge Mode when SecureXL is enabled

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk111635
Product	VSX, SecureXL, Enterprise Appliances, Data Center Security Appliances
Version	R75.40VS, R76, R77, R77.10, R77.20, R77.30
OS	Gaia
Platform / Model	2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, Intel/PC, Power-1, UTM-1, VMWare ESX, IP1280, IP2450
Date Created	23-May-2016
Last Modified	23-May-2016

Symptoms

Traffic outage after a fail-over between Virtual Systems in VSLS Bridge Mode (e.g., by running the "vsx_util vsls" command on Security Management Server and selecting option "4. Manually set priority and weight").
Traffic flow resumes when switches send ARP Request and new active Virtual Systems respond with relevant MAC Address.
Disabling SecureXL on VSX cluster members resolves the issue (no traffic outage after a fail-over between Virtual Systems).
Bridge Active/Standby state is configured as Check Point ClusterXL, and not as standard Layer 2 loop detection (STP).

Cause

During the fail-over, Virtual Systems in VSLS Bridge Mode do not send CCP MAC Learning packets. As a result, switches can not update their MAC Address tables with the MAC Address of the new Active Virtual Systems.

When SecureXL is enabled, accelerated packets do not update Linux kernel shadow table, and, as a result, Check Point kernel table fdb_shadow.

Solution

Note: To view this solution you need to Sign In .