Support Center > Search Results > SecureKnowledge Details
Sync Redundancy in ClusterXL
Solution

Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one Synchronization Network for redundancy is not supported for the following reasons:

  • By design, the Delta Sync traffic is duplicated on the sending cluster member on all the configured Synchronization Networks (the receiving cluster member checks all received Delta Sync packets and discards the packets that were already processed on one of the Synchronization Networks). This increases load on the CPU on all cluster members.
  • By design, if a cluster interface goes down (from cluster point of view), the member will go into "Down" state. This applies to Sync interfaces as well. Meaning, configuring multiple Synchronization Networks does not provide 100% sync redundancy.
  • Multiple Synchronization Networks are not supported in VSX.

Note: The ability to configure multiple Synchronization Networks in a cluster object will still exist in SmartDashboard for unique special cases where the cluster administrator is unable to create Bond interfaces.

 

Table of Contents:

  1. Introduction
  2. Procedure
  3. Recommendations
  4. Limitations

 

(1) Introduction

In version R80.20 new sync redundancy capabilities have been added, for more information refer to: ClusterXL R80.20 admin Guide - 'Supported Topologies for Synchronization Network'.

In version R80.10 there is an option to configure sync redundancy under the bond interface configuration. It supports both bond LS and bond HA (old topologies before R80.20)

In versions R77.30 and below, in order to implement Sync Redundancy, configure several physical interfaces as a Bond interface - in High Availability (Active/Backup) mode, or Load Sharing (Active/Active) mode - and then configure the dedicated Synchronization Network over this single Bond interface.

Connect the Sync bond interface of each member to the same switch or VLAN or Back-to-Back.

 

(2) Procedure for versions R77.30 and below

  1. Define Bond interface with slaves intended for Sync network on all members.

    Refer to these Administration Guides:

    • For Gaia OS: Gaia Administration Guide (R75.40, R75.40VS, R76, R77) - Chapter 'Network Management' - Network Interfaces - Bond Interfaces (Link Aggregation).
    • For SecurePlatform OS: ClusterXL Administration Guide (R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77) - Chapter 'ClusterXL Advanced Configuration' - Link Aggregation and Clusters.

    Example for Gaia OS:

    Note: On all members - either use Gaia Portal, or run the following commands in Clish.

    1. Create the Bond interface (in this example, Bond 0):

      HostName> add bonding group 0

      HostName> set bonding group 0 mode 8023AD
    2. Add slave interfaces to Bond (in this example, eth1 and eth2 are the intended bonded interfaces for Sync):

      HostName> add bonding group 0 interface eth1

      HostName> add bonding group 0 interface eth2
    3. Save settings:

      HostName> save config
  2. Connect to Security Management Server with SmartDashboard.

  3. Open the cluster object.

  4. Go to Topology pane - click on Edit....

  5. Under the name of each member, click on Get Topology.

  6. Check the configuration of Virtual IP addresses.

  7. Configure the new Bond interface as "1st Sync" interface (The slaves will not be seen, only the bond interface is):

  8. Click on 'OK' to apply the settings.

  9. Save the settings: go to File menu - click on Save.

  10. Install policy onto this cluster.

  11. Verify by running the cphaprob -a if command on cluster members - Sync interface should state it is in Bond mode.

    Example for Bond in HA mode:

    When adding the current Sync interface as a slave into the newly created Bond, instead of moving the Sync to another interface, we might face the following issue in the output of "cphaprob -a if" command:
    Warning: Sync will not function since there aren't any sync(secured) interfaces

    Example:

    The new Bond interface will act as a Sync interface, but it will be displayed in the output of "cphaprob -a if" command as a regular monitored interface.

    To update the Check Point kernel about the new Bond and Sync, restart the Check Point services with "cpstop;cpstart" commands (Note: This might cause fail-over).

 

(3) Recommendations

  • 802.3ad is the recommended Bond mode.

 

(4) Limitations

  • When using Sync over Bond in HA mode (Active-Backup), slave interfaces must be added in the same order on all cluster members.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment