Checkpoint : State Syncronization Guide

To reduce or eliminate these error messages verify that you followed the below recomendations:

• Sync network needs to be dedicated to synchronization only. It is not recommended to run VRRP or IPSO Cluster on sync interfaces (refer to sk39179).
• Sync interfaces should be configured as a non-ADP interfaces.
• Synchronization interfaces should be the same speed or faster than the fastest interface on the VRRP or IPSO Cluster. However, this recommendation is impractical when 10 gigabit interfaces are employed. In practice, no more than 2 gigabits of throughput is needed for sync traffic on IPSO Appliances. This means a pair of non-ADP gigabit Ethernet interfaces will be sufficient, though in many cases a single gigabit Ethernet interface will suffice.
• It is recommended to use a dedicated VLAN on a switch, for Check Point sync traffic from a single cluster only i.e. you should not mix CP sync traffic from other cluster members across this dedicated VLAN. Use of cross-over cable is also supported in a 2-node cluster. Choosing to use a switch or a cross-over cable for CP Sync traffic is a environment preference.
• For VRRP only - disable synchronization for certain services. This will help stabilize the systems because:
1. Less memory will be demanded by the sync process. You already saw some related messages in the fwd.elg about sync buffers being full.
2. This will release the CPU time.

The HTTP, HTTPS and DNS services are good candidates to be taken out of synchronization. Because of their nature, they are not affected on a fail over scenario without synchronization.

• The following limitations are applicable for state synchronization over wide area network:
1. The synchronization network must guarantee no more than 100ms latency and no more than 5% packet loss.
2. The synchronization network may only include switches and hubs. No routers are allowed on the synchronization network, because routers will drop Cluster Control Protocol (CCP) packets . CCP is either Multicast or Broadcast and thus non-routable.
• If IP cluster is configured between two IPSO Appliances located in two different cities, CCP and VRRP advertisements need to be update quite frequently. Any latency can cause both cluster members to behave abnormally. Also, if there is a break in the WAN link, both will become master, which can also cause problems.
  The solution is to ensure minimal latency between the cluster members and a highly reliable link.