Issue/Introduction:
It is recommended that Check Point sync interface has a second interface using the redundancy interface feature of XOS.It is recommended that Check Point sync interface has a second interface using the redundancy interface feature of XOS.
Cause:
To document the best practice when configuring physical interfaces for Check Point sync circuit.
Resolution:
It is recommended that Check Point sync interface has a second interface configured using the redundancy interface feature of XOS:
circuit sync
device-name sync
link-state-resistant
vap-group fw
ip 192.168.255.1/24 192.168.255.255 increment-per-vap 192.168.255.2
interface ethernet 1/16
logical sync
circuit sync
interface ethernet 2/16
standby-only
redundancy-interface master ethernet 1/16 backup ethernet 2/16 mac-usage master
failovermode preemption-off
It is recommended NOT to use group-interface (LACP) for Check Point synchronization. Check Point synchronization traffic mainly uses only 2 IP addresses - the source 0.0.0.0 and the synchronization network broadcast address as the destination (192.168.255.255 in the above example). This traffic is considered a single flow and as such cannot be distributed over multiple physical links. It must be transmitted over a single interface and there is no benefit in using LACP.
When LACP is configured for sync, there is even a potential performance degradation issue if the neighbor switch selects another link in the bundle to transmit the sync traffic than X-series. Such scenario leads to flow reclassification on the NPM and may cause sync issues on the cluster members.
Workaround
N/A