Chassis HA – Sync Lost Mechanism

The 61000/41000 Security System uses the Check Point proprietary Cluster Control Protocol (CCP) to send UDP control packets between two High Availability Chassis. When a sync interface fails, it is necessary to send a SYNC_LOST message the other Chassis. The SYNC_LOST mechanism handles loss of connectivity between two Chassis on the Sync network.

To prevent the two Chassis from changing their states to Active, a SYNC_LOST CCP is sent over non-sync interface (the Data Ports and Management interfaces) to the other Chassis. This causes the two Chassis to freeze their current state until connectivity between the two Chassis is restored. During the Sync Loss, the Standby Chassis, does not change its state to Active until it stops receiving SYNC_LOST packets from the other Chassis.

The 61000/41000 Security System sends SYNC_LOST messages in this manner:

• For VSX environments - All interfaces of the VS0 context only
• For non-VSX environments - All Chassis interfaces

Configuration:

Sync Lost mechanism is enabled by default.

To disable Sync Lost Mechanism, run these commands from gclish:

> fw ctl set int fwha_ch_sync_lost_mechanism_enabled 0	

> update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=0

To enable Sync Lost Mechanism, run these commands from gclish:

> fw ctl set int fwha_ch_sync_lost_mechanism_enabled 1	

> update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=1

Verification:

To check whether the mechanism is enabled:

> fw ctl get int fwha_ch_sync_lost_mechanism_enabled

(1- enabled, 0-disabled)