Multi-Version Cluster Limitations

Specific limitations apply to Multi-Version Cluster.

General limitations in Multi-Version Cluster configuration

The Multi-Version Cluster (MVC) upgrade does not support the replacement of the hardware (replacing the entire cluster member).

The MVC upgrade supports only multi-version software.

While the cluster contains Cluster Members that run different software versions (Multi-Version Cluster), it is not supported to change specific settings of the cluster object in SmartConsole.

You cannot change the cluster mode.

For example, from High Availability to Load Sharing.
In the High Availability mode, you cannot change the recovery mode.

For example, from Maintain current active Cluster Member to Switch to higher priority Cluster Member.
You cannot change the cluster topology.

Do not add, remove, or edit settings of cluster interfaces (IP addresses, Network Objectives, and so on).

In a VSX Cluster object, do not add, remove, or edit static routes.

Note - You can change these settings either before or after you upgrade all the Cluster Members.

While the cluster contains Cluster Members that run different software versions (Multi-Version Cluster), you must install the policy two times.

Multi-Version Cluster (MVC) does not support Cluster Members with Dynamically Assigned IP Addresses (DAIP).

Procedure

Important - In a VSX Cluster, it is possible to install policy only on the upgradedVSX Cluster Members that run R80.40. After you change the version of the VSX Cluster object to R80.40, the Management Server does not let you change it to the previous version.

Make the required changes in the Access Control or Threat Prevention policy.
In SmartConsole, change the version of the cluster object to R80.40:

On the General Properties page > in the Platform section > in the Version field, select R80.40 > click OK.
Install policy on the upgradedCluster Members that run R80.40:
1. In the Policy field, select the applicable policy.
2. In the Install Mode section, select these two options:
  - Select Install on each selected gateway independently.
  - Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
3. Click Install.
  
  The Policy installation:
  - Succeeds on the upgradedR80.40Cluster Members.
  - Fails on the oldCluster Members with a warning. Ignore this warning.
In SmartConsole, change the version of the cluster object to the previous version:

On the General Properties page > in the Platform section > in the Version field, select the previous version > click OK.
Install policy on the oldCluster Members that run the previous version:
1. In the Policy field, select the applicable policy.
2. In the Install Mode section, select these two options:
  - Select Install on each selected gateway independently.
  - Clear For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
3. Click Install.
  
  The Policy installation:
  - Succeeds on the oldCluster Members.
  - Fails on the upgradedR80.40Cluster Members with a warning. Ignore this warning.

Limitations during failover in Multi-Version Cluster

These connections do not survive failover between Cluster Members with different versions:

VPN:
- During a cluster failover from an R80.40 Cluster Member to an R77.30 Cluster Member, all VPN connections on an R80.40 Cluster Member that are inspected on CoreXL Firewall instances #1 and higher, are lost.
- Mobile Access VPN connections.
- Remote Access VPN connections.
- VPN Traditional Mode connections.
Static NAT connections are cut off during a cluster failover from an R80.40 Cluster Member to an R80.10 or R77.30 Cluster Member, if VMAC mode is enabled in this cluster.
Identity Awareness connections.
Data Loss Prevention (DLP) connections.
IPv6 connections.
Threat Emulation connections.
PSL connections that are open during fail-over and then fail-back.

In addition, see the R80.40 ClusterXL Administration Guide > Chapter High Availability and Load Sharing Modes in ClusterXL > Section Cluster Failover.