Traffic outage after a fail-over between Virtual Systems in VSLS Bridge Mode when SecureXL is enabled

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk111635
Technical Level
Product	VSX, SecureXL, Quantum Appliances, Quantum Security Gateways
Version	R75.40VS (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
OS	Gaia
Platform / Model	2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, Intel/PC, Power-1 (EOL), UTM-1 (EOL), VMWare ESX, IP1280 (EOL), IP2450 (EOL)
Date Created	23-May-2016
Last Modified	23-May-2016

Symptoms

Traffic outage after a fail-over between Virtual Systems in VSLS Bridge Mode (e.g., by running the "vsx_util vsls" command on Security Management Server and selecting option "4. Manually set priority and weight").
Traffic flow resumes when switches send ARP Request and new active Virtual Systems respond with relevant MAC Address.
Disabling SecureXL on VSX cluster members resolves the issue (no traffic outage after a fail-over between Virtual Systems).
Bridge Active/Standby state is configured as Check Point ClusterXL, and not as standard Layer 2 loop detection (STP).

Cause

During the fail-over, Virtual Systems in VSLS Bridge Mode do not send CCP MAC Learning packets. As a result, switches can not update their MAC Address tables with the MAC Address of the new Active Virtual Systems.

When SecureXL is enabled, accelerated packets do not update Linux kernel shadow table, and, as a result, Check Point kernel table fdb_shadow.

Solution

Note: To view this solution you need to Sign In .