Friday, August 10, 2012

Testing of the Check Point ClusterXL: Active/Active Sync Port Failure

We wanted to test the ClusterXL feature to verify what exactly would happen if a 'sync' port when down, but the Check Point unit was still up.  We figured that if the unit goes down, the other unit would just keep right on going without issue, and vice versa.  However, what exactly would happen if ONLY a sync port goes down, in an active/active situation?  Well, I have to say I was a little surprised at the results of this.  Here is what we found:

We are working with R75.40, and two Clustered IP 12400 Series boxes.
1.  In scenario #1, reference the topology below.  When we pulled the sync cable out of Firewall #1, we did a 'cphaprob stat' on both firewalls.  Firewall #1 showed that it was active while Firewall #2 showed down.  On Firewall #2, 'cphaprob stat' showed that it was down and Firewall #1 was active.  They both agreed that Firewall #1 was active.  Both sync ports were connected to the switch.  We were still able to get on the Internet also.
2.  In scenario #2, same topology above.  Except this time,  we pulled the sync cable out of Firewall #2, we did a 'cphaprob stat' on both firewalls.  Firewall #1 showed that it was active while Firewall #2 showed down.  On Firewall #2, 'cphaprob stat' showed that it was down and Firewall #1 was active.  They both agreed that Firewall #1 was active.  Both sync ports were connected to the switch.  We were still able to get on the Internet also.
3.  In scenario #3, reference the topology below.  This time, we put a cross-over cable between the two firewalls.  Both active/active at this point, and then we pulled the cross-over cable out of Firewall #1.  Firewall #1 showed that it was active while Firewall #2 showed down.  On Firewall #2, 'cphaprob stat' showed that it was down and Firewall #1 was active.  They both agreed that Firewall #1 was active.  We were still able to get on the Internet also.
4.  In scenario #4, reference the topology below.  We still had a cross-over cable between the two firewalls.  We then we pulled the cross-over cable out of Firewall #2.  Firewall #1 showed that it was active while Firewall #2 showed down.  On Firewall #2, 'cphaprob stat' showed that it was down and Firewall #1 was active.  They both agreed that Firewall #1 was active.  We were still able to get on the Internet also.
So, in this case, does it matter about the sync port and how it is plugged in?  Well, the results say No, it doesn't matter in this situation.  So, when would it matter?  I think with this version we had, and with this testing, it doesn't matter.
Now, with that said, WHY did Firewall #1 ALWAYS come up as the Active unit and Firewall #2 ALWAYS go down?  I think its because in the Check Point Dashboard, under the properties of the cluster, there is a section called 'CluserXL'.  When you select that on the left side, you will see the order of the clusters on the right.  In my case, Firewall #1 was the first entry, and Firewall #2 was the second.  I believe that may be the reason why we see these results.  If we were to swap that order, I think we would see just the opposite happen.
Posted by