Bond Failover

Either of the following failure scenarios can induce bond failover:

• An active interface detects a link state failure in another monitored interface

• ClusterXL detects a failure in sending or receiving Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Control Protocol (CCP) keep-alive packets

Either of these occurrences will induce a failover, either to another subordinate interface within the bond, or between VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Members, depending on the circumstances.

Note - The bond failover operation requires a network interface card that supports the Media-Independent Interface (MII) standard.

Link State Initiated Failover

Link-state initiated failover occurs in this sequence:

1. The active subordinate interface detects a down link state.

2. The bond initiates failover to a standby interface. Since this is a failover within the bond, the status of the other VSX Cluster Member Security Gateway that is part of a cluster. is unaffected.

   When the number of available subordinate interfaces is fewer than the critical minimum number of interfaces, failover to other VSX Cluster Members occurs (see Setting Critical Required Interfaces).

3. If the standby interface continues to detect a link failure, and the initial interface is still down, failover to other VSX Cluster Members occurs.

Failover Initiated by Cluster Control Protocol (CCP)

CCP failover occurs only when other VSX Cluster Members are not down, in this sequence.

1. ClusterXL detects a problem sending or receiving of CCP packets.

2. ClusterXL initiates an internal bond failover.

3. ClusterXL monitors CCP packet transmission and reception. If additional problems are detected within three minutes, the system initiates a failover to another VSX Cluster Member.

Failover Support for VLANs

ClusterXL monitors VLAN IDs for connectivity failure or miscommunication, and initiates failover when necessary. By default, both the highest and the lowest VLAN IDs are monitored for failure. This is done by sending ClusterXL Control Protocol (CCP) packets on round-trip paths at a set interval.

You can configure VSX to monitor all VLANs.

When a failure is detected, a log of the failure is recorded in the Logs & Monitor view.

Monitoring the Highest and Lowest VLAN IDs

By default, the highest and lowest VLAN IDs indicate the status of the physical connection. These VLAN IDs are always monitored and a connectivity failure in either initiates a failover. In most deployments this is the desired setting, as it supports the primary purpose of the feature (detecting a connectivity failure) and the traffic generated on the network is light. However, this setting only detects VLAN configuration problems on the switch for the highest and lowest VLAN IDs.