Connectivity Upgrade Limitations

Some connections and features do not survive after failover to an upgraded Cluster Member.

General Failover Limitations

• Security Servers do not survive failover.
• Connections that are handled by the Check Point services, in which the option Synchronize connections on cluster is disabled, do not survive failover.
• Connections initiated by the Cluster Member itself, do not survive failover.
• TCP connections handled by the Check Point Active Streaming (CPAS) or Passive Streaming Layer (PSL) mechanism do not survive failover.
• Connectivity Upgrade and connections handled by Software Blades:
  • If IPS Software Blade in the cluster object (R77.X and lower) is configured to Prefer connectivity, and the Cluster Member that owns the connections is Down, then the connection is accepted without inspection. Otherwise, the Cluster Members drop the connection.
  • For all other Software Blades:
    • If the destination Cluster Member is available, the connection is forwarded to the Cluster Member that owns the connection.
    • If the destination Cluster Member is not available, the Cluster Members drop the connection.
• Connectivity Upgrade and CoreXL:
  • CU to R80.10 or above: It is supported to perform CU with an upgraded Cluster Member that has more CoreXL Firewall instances.
  • CU to R77.30 or below: All Cluster Members must have the same number of CoreXL Firewall instances.
• Connectivity Upgrade and Gaia kernel editions (32-bit and 64-bit):
  • CU to R80.10 or above: It is supported to perform CU between Cluster Members with different Gaia kernel editions (32-bit and 64-bit).
  • CU to R77.30 or below: All Cluster Members must run the same 32-bit or 64-bit kernel edition.

For additional limitations related to general failover, see the section Check Point Software Compatibility in the ClusterXL Administration Guide.

Limitations for Failover during the Connectivity Upgrade

• Connectivity Upgrade is supported only when CPU utilization on Cluster Members is below 50%.
• Connectivity Upgrade to R77.20 or R77.30 only: Dynamic Routing connections do not survive the Connectivity Upgrade.
• Mobile Access VPN connections do not survive the Connectivity Upgrade.
• Remote Access VPN connections do not survive the Connectivity Upgrade.
• VPN Traditional Mode connections do not survive the Connectivity Upgrade.
• Data Loss Prevention (DLP) connections do not survive the Connectivity Upgrade.
• FTP Control connections with NAT do not survive the Connectivity Upgrade.
• IPv6 connections do not survive the Connectivity Upgrade.
• Threat Emulation connections do not survive the Connectivity Upgrade.
• VPN connections that originate from a DAIP Gateway, do not survive the Connectivity Upgrade.
• When traffic passes through a VSX Cluster in Bridge mode, a connection might fail after the cluster failover to an upgraded VSX Cluster Member.
  Workaround: Set the value of the Forward Delay parameter for Bridge interface to 1 (one). See sk66531.
• If a session that is authenticated with the Identity Awareness Software Blade is open when you start the Connectivity Upgrade, the session is terminated.
• To upgrade a VRRP Cluster to R80.20 with the Connectivity Upgrade, you must install the R80.20 Jumbo Hotfix Accumulator - Take 17 and above (to resolve PMTR-23850).
• In the Connectivity Upgrade with Dynamic Routing synchronization:
  • CU to R77.20DR, R77.30DR, R80.10 or above: Dynamic Routing synchronization is available only for cluster-supported protocols. For detailed information, refer to sk98226: Dynamic Routing and VRRP Features on Gaia OS.
  • Configure BGP graceful restart to keep BGP routes during failover.
  • For VRRP Clusters, Dynamic Routing synchronization is supported only:
    • from R80.10 to next versions
    • from R77.30 to R80.10, and above
  • For VRRP Clusters, configure OSPF Graceful Restart to keep dynamic routes during the failover.