Connectivity Upgrade Limitations
Some connections and features do not survive after failover to an upgraded Cluster Member.
General Failover Limitations
- Security Servers do not survive failover.
- Connections that are handled by the Check Point services, in which the option is disabled, do not survive failover.
- Connections initiated by the Cluster Member itself, do not survive failover.
- TCP connections handled by the Check Point Active Streaming (CPAS) or Passive Streaming Layer (PSL) mechanism do not survive failover.
- Connectivity Upgrade and connections handled by Software Blades:
- If IPS Software Blade in the cluster object (R77.X and lower) is configured to , and the Cluster Member that owns the connections is , then the connection is accepted without inspection. Otherwise, the Cluster Members drop the connection.
- For all other Software Blades:
- If the destination Cluster Member is available, the connection is forwarded to the Cluster Member that owns the connection.
- If the destination Cluster Member is not available, the Cluster Members drop the connection.
- Connectivity Upgrade and CoreXL:
- CU to R80.10 or above: It is supported to perform CU with an upgraded Cluster Member that has more CoreXL Firewall instances.
- CU to R77.30 or below: All Cluster Members must have the same number of CoreXL Firewall instances.
- Connectivity Upgrade and Gaia kernel editions (32-bit and 64-bit):
- CU to R80.10 or above: It is supported to perform CU between Cluster Members with different Gaia kernel editions (32-bit and 64-bit).
- CU to R77.30 or below: All Cluster Members must run the same 32-bit or 64-bit kernel edition.
For additional limitations related to general failover, see the section Check Point Software Compatibility in the ClusterXL Administration Guide.
Limitations for Failover during the Connectivity Upgrade
- Connectivity Upgrade is supported only when CPU utilization on Cluster Members is below 50%.
- Connectivity Upgrade to R77.20 or R77.30 only: Dynamic Routing connections do not survive the Connectivity Upgrade.
- Mobile Access VPN connections do not survive the Connectivity Upgrade.
- Remote Access VPN connections do not survive the Connectivity Upgrade.
- VPN Traditional Mode connections do not survive the Connectivity Upgrade.
- Data Loss Prevention (DLP) connections do not survive the Connectivity Upgrade.
- FTP Control connections with NAT do not survive the Connectivity Upgrade.
- IPv6 connections do not survive the Connectivity Upgrade.
- Threat Emulation connections do not survive the Connectivity Upgrade.
- VPN connections that originate from a DAIP Gateway, do not survive the Connectivity Upgrade.
- When traffic passes through a VSX Cluster in Bridge mode, a connection might fail after the cluster failover to an upgraded VSX Cluster Member.
Workaround: Set the value of the Forward Delay parameter for Bridge interface to 1 (one). See sk66531. - If a session that is authenticated with the Identity Awareness Software Blade is open when you start the Connectivity Upgrade, the session is terminated.
- To upgrade a VRRP Cluster to R80.20 with the Connectivity Upgrade, you must install the R80.20 Jumbo Hotfix Accumulator - Take 17 and above (to resolve PMTR-23850).
- In the Connectivity Upgrade with Dynamic Routing synchronization:
- CU to R77.20DR, R77.30DR, R80.10 or above: Dynamic Routing synchronization is available only for cluster-supported protocols. For detailed information, refer to sk98226: Dynamic Routing and VRRP Features on Gaia OS.
- Configure BGP graceful restart to keep BGP routes during failover.
- For VRRP Clusters, Dynamic Routing synchronization is supported only:
- from R80.10 to next versions
- from R77.30 to R80.10, and above
- For VRRP Clusters, configure OSPF Graceful Restart to keep dynamic routes during the failover.