Firewall Dynamic Routing For Dummies – Part Quad

And then there is clustering……

<Work In Progress>

UPDATE: 6/4/2013: Just got word that CP has acknowledged that there is a problem with failover and OSPF. Sometimes OSPF uses its real IP and not the VIP. It should ALWAYS use the VIP. This would be a huge impact for all CP customers. CP claims they will fix this. Till then, tread lightly on failing over. Use clusterXL_admin down would be my suggestion.

Sorry to dump this on but I have good news and I have bad news.

  • Good news: Once its up and running it seems to work
  • Bad news: Once its up and running it seems to work

Clustering is a bitch. If you have a standalone system, go for it. Dynamic routing on clustered system is not there yet. The routing people never talked to the clustering people about life and the reality outside of lab.

  1. So when doing full connectivity upgrades, recognize this only applies to state tables and not routing tables. So although you can get the state tables to fail over, the routing will not converge immediately so you will lose pings.
  2. Member priority. So member A is active it is advertising on the VIP HELLO packets. If you are upgrading member B and member B is the priority member then when you push policy HA will restart and member B will be the VIP advertising OSPF HELLO packets…without a full routing table. Doooo-ah! What to do. Or what if member B is upgraded but you still need to put a patch to routed/ospf on it? You upgrade, it asks to reboot, you reboot and member B is active but doesn’t have the new routed on it and no routes. The whole member priority prior to upgrades should be thought out.
  3. Wait for it……Should you OSPF route before clustering comes up? So OSPF tells the world “Hey, I’m accepting packets on this VIP”. So packets start coming your way but clustering is slowly starting to get out of bed……
    1. clustering
  4. PROBLEMO MUCHACHO….Well, not all the time. When you type cphastop on the problem member, the problem member’s routed starts advertising on its own real IP address and not the VIP. I think this is a problem, because where do the packets go – to the VIP or the real IP? You guessed it, the REAL IP. URRRRP. Problem. yes the routing people and the cluster people and the documentation people were not talking to each other. The upgrade guide is wrong, you can’t use cphastop because it does not stop routed. You have to drouter stop routed too. Routed and clustering are independent of each other and they should be tied hip-to-hip.
  5. So you are single, no family, no dog and you have a death wish. Not a problem, we have that for you. Run VPNs and your firewall and figure out if you should inject kernel routes into OSPF, or let OSPF figure it out and do it for you.  I wish I had the answer, let me know if you do before you die.kernel routes
  6. Just take it from me. NEVER pull an interface cable to disable member from joining the cluster and then reboot. Your life will change before your eyes.
  7. Learn to write awk script in order to convert OSPF routes to static routes in order to do a clean upgrade. If you can’t take any ping losses, then you have to convert the dynamic routing cluster into a static routing cluster. Convert OSPF routes into static routes (do not do a ‘save config’), and upgrade that way. The static routes will continue to route as long as state tables send packets your way. Once things are working, reboot and let OSPF fill the routing tables in place of the GAIA clish static routes which will disappear on reboot because you didn’t do a ‘save config’

Summary: I’m not convinced that clustering and dynamic routing are ready for prime time – full connectivity upgrades. Assume you will take a 1 minute to 3 minute outage as you boot both members and they form a rightful cluster – and then OSPF starts up.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Ning  On May 28, 2013 at 10:43 pm

    May I ask a stupid question about Checkpoint cluster? Will the basic system settings be synced automatically between primary and secondary unit? Dispite this routing thing.

    Comparing to other fireawlls, Cisco ASA for example, once HA cluster is built. all configuration is just needed to be on one firewall, and it gets synced to another. (not referring to firewall rules, but general settings, like interface description and so on.)

    Thank you!

    • Dreezman  On May 30, 2013 at 9:06 am

      Not sure I understood the question, but full connectivity upgrade only upgrades the state table and not configuration information.

      Thanks for reading my boring blogs.
      dreez

      • Ning  On June 1, 2013 at 12:28 am

        Thank you for replay! Let me make an exmaple: in a Cisco ASA H/A pair, if I want to change a cfg, NTP for instance, I only need to set on primery unit, and the cfg will be synced to standby unit automatically. But it seems not the case for Checkpoint H/A pair.

  • top laptops  On June 1, 2013 at 10:47 pm

    It’s amazing to visit this web page and reading the views of all mates concerning this article, while I am also zealous of getting experience.

  • Sam Crooks  On March 16, 2014 at 6:12 am

    Have you tried a eBGP based routing design using communities to signal filtering and preference actions ?

    I am considering writing up my design in an RFC and parenting at NANOG… Using SRX line, so BGP features are fully working and not buggy.

    Would you be interested ?

    Dynamic fw routing with path symmetry and geo failover is the holy grail when you get more than a few FW’s and more than like 2 in a communication path.

    Sam

    • Dreezman  On March 16, 2014 at 7:38 pm

      Wow…This sounds fantastic! Unfortunately I am so far from a routing geek aside from the basics that I am not in your league.

      Would you consider putting together a 1/2 day class and we can work something together? I’d do CoreXL.

      dreez

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: