Re: [FW-1] Cluster XL sync problem

[Foy Brad [Permanent Link]]

Checkpoint consistently recommend using a X-Over cable for the Sync LAN where 
possible. Below are some direct quotes from their Cluster XL doco

" To secure the synchronization interfaces, they should be directly connected 
by a cross cable, or in the case of a three of more member cluster, by means of 
a dedicated hub, switch. (pg 29)

For the Synchronization interfaces, use a cross cable, or a dedicated 
switch.(pg 43 & 54)

Therefore, it is best to connect the secured interfaces of a given cluster via 
a crossover link when possible, or to an isolated VLAN. (pg 109)

Do you see any errors on your switch indicating dropped packets or config 
errors ?
Any packet errors on your Sync LAN NIC's ?
Tried using a dumb hub for your Sync LAN ? If So what was the result ?
Sync LAN NIC settings match (duplex / speed) ?
Tried using a X-over for your Sync LAN ?

Here are some handy commands to run on your FW to see if your Sync LAN is 
working OK

"fw ctl pstat" identifies lots of traffic stats, but most importantly at the 
bottom it lists the state of the FW Sync LAN.
"cphaprob list" identifies the state of the Sync LAN, FW Rulebase, FW HA 
Daemon, and FW Daemon
"cphaprob state" identifies the state of the cluster state between FW's. It 
will tell you if a clustered FW is active, or down or requires attention
"fw tab -t connections -s-u" To check if the FW State table is replicated on 
both FW's a good check is to run "fw tab -t connections -s-u" on both FW's. The 
#VALS is the number of entries in the FW state table. This number should be 
almost the same number on both FW's. If they are not close to each other 
(within a couple) then you may have a sync issue. NOTE: If FW is under load, 
entries in the state table are coming and going all the time, so try to run 
this command at the same time on both FW's #PEAK is the highest number of 
entries in the state table that the FW has observed.


See Checkpoint Doco on Cluster XL
http://www.checkpoint.com/support/downloads/docs/firewall1/r55/ClusterXL.pdf 

Hope this helps
Brad

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lino Eduardo Avila Rodríguez
Sent: Thursday, 21 July 2005 1:08 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cluster XL sync problem

 
I'm having some trouble with cluster XL, I been trying to set up a cluster but 
I been having problems with the synchronization. If I use each module alone 
everything works ok, If I use both the are some inestability in my network, the 
modules stop forwarding traffic for a little while, the everything back to 
normal, some applications are not working fine. I've been looking for errors 
and I get this 

this error on the messages, a lot, sometimes every ten minutes, sometimes less. 

Jul 19 05:00:40 fwph2 kernel: FW-1: State synchronization is in risk. Please 
examine your synchronization network to avoid further problems !
Jul 19 05:00:40 fwph2 kernel: FW-1: It is recommended to set the global 
parameter fw_sync_block_new_conns to 0 Jul 19 05:00:40 fwph2 kernel: FW-1: 
Please refer to documentation for details on this issue. Any change must be 
applied to ALL cluster members Jul 19 05:00:40 fwph2 kernel: FW-1: 
fwldbcast_recv: delta sync connection with member 0 was lost and regained.587 
updates were lost.
Jul 19 05:00:40 fwph2 kernel: FW-1: fwldbcast_recv: received sequence
0x69c82 (fragm 0, index 1), last processed seq 0x69a36

Does anybody has any idea why is this happening? Or how to correct this?

My configuration is two modules with SPLAT R55 HFA04, the synchronization 
network is through a switch.
I'm using only HA.


Best Regards

Lino E. Avila
leavila AT scitum.com DOT mx
52651700 ext. 1774
Nextel ID: 52*17946*47
Mobile: 55 24743746
 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Layne Meier
Sent: Wednesday, July 20, 2005 8:58 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cluster XL Problem

I just implemented the recommended Cisco configuration information on my Cisco 
Swtiches and now I can do Load Sharing Multicast in my cluster.

(See pages 37 and 38 of the NG-AI, R55 ClusterXL Configuration Guide - June 
2003).

Mind you, I'm running NG-AI, R55, HFA_R55_15

Thank you all for your assistance

Layne Meier
Atlanta, GA


On Jul 20, 2005, at 9:17 AM, Cassell,Damon Z. wrote:

> This is not necessarily true. I've found that Cisco 2950 switches are 
> plug and play when it comes to multicast addresses and ClusterXL. I'm 
> currently testing such a configuration.
>
> Page 52 of Checkpoint's ClusterXL R55 guide suggests some hardware, 
> and there is also an additional sk document mentioned there that talks 
> about specific switch configurations.
>
> Damon Cassell
>
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1 
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of 
> Timothy Arnold
> Sent: Wednesday, July 20, 2005 7:56 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Cluster XL Problem
>
> do you have a cisco router/switch in front of them? iirc they cannot 
> handle multicast addresses so you need to put a static arp entry in!
>
>
> ----- Original Message -----
> From: "Layne Meier" <lmeier AT AJC DOT COM>
> To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> Sent: Wednesday, July 20, 2005 12:38 PM
> Subject: [FW-1] Cluster XL Problem
>
>
>> I'm having a bit of trouble setting up a VPN-1/Firewall-1 Cluster.
>>
>> In my attempt, I have all of the appropriate licenses (VFF, 
>> ClusterXL,
>
>> Policy Server).
>>
>> I have set up a pair of Sun Netra T-1 105 servers, with a QuadFast 
>> Ethernet Adapter in each of them as the enforcement modules.  I've 
>> set
> up
>> a Sun Netra X1 as the management server.  All of these systems are
> running
>> Sun Solaris 8, with the appropriate Solaris patches required by
> CheckPoint
>> installed.
>>
>> I defined my cluster with the "virtual" IP Addresses that will be
> used,
>> defined the two enforcement modules as cluster members with unique IP 
>> Addresses for their local interfaces.  Pushed a policy to them.
>>
>> All of this is pretty normal.  However, here is my problem.
>>
>> If I establish my cluster as a Load Sharing, Multicast cluster, I can
> only
>> ping from my local network, the two unique IP Addresses of the LAN 
>> interfaces of the two enforcement modules.  I cannot ping, the 
>> virtual
> IP
>> Address, the external unique IP Addresses, nor the virtual of them.
>>
>> If I change it to a Load Sharing, Unicast cluster, I can ping all 
>> interfaces, including all virtuals.  I prefer the concept of a load 
>> sharing cluster without having a pivot system.
>>
>> Any thoughts as to why I can't get Load Sharing Multicast to work?
>>
>> Thank you,
>> Layne Meier
>> Atlanta, GA
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages, send an email to 
>> LISTSERV AT amadeus.us.checkpoint DOT com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list, please see the instructions at 
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your subscription options, 
>> email fw-1-owner AT ts.checkpoint DOT com 
>> =================================================
>>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to 
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the instructions at 
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, 
> email fw-1-owner AT ts.checkpoint DOT com 
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to 
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the instructions at 
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, 
> email fw-1-owner AT ts.checkpoint DOT com 
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================


************************************************************************
The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.  
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.  
************************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================