https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54035#M4095 <P><STRONG>Appliances:</STRONG> (2) 5400 16GB RAM Gaia R80.10</P><P>I have been experiencing this issue for over 18 months and haven't made progress with TAC. I am currently running R80.10 and was experiencing this issue in R77.30 as well (my upgrade to R80.10 was an attempt to resolve this issue).</P><P><STRONG>Description:</STRONG> When physical memory approaches 16GB of consumption, traffic begins to drop. Running <STRONG>'fw ctl zdebug drop'</STRONG> reveals a lot of <STRONG>'Reason: PSL Drop: TCP segment out of maximum allowed sequence.'</STRONG> errors. If I'm lucky enough to catch things at this point, I can manually fail over to the standby node and the issue is immediately resolved. If I don't catch things at this stage, the primary node will eventually stop passing traffic and does not automatically fail over to the standby node. I cannot get in or out of my network and I cannot remotely manage the gateway without using the lights-out port (I've added lights-out because of this issue). This cluster is in my HQ office and all 26 remote locations are in a VPN community with this cluster (remote locations are 1450 appliances running R77.20.86). When this issue occurs, everyone in the company is impacted.</P><P>QoS definitely has an impact on this issue. Memory usage climbs by 1GB/day with QoS enabled. With QoS disabled, memory usage climbs by about 100MB/day. So with QoS disabled, the issue occurs much less frequently. With QoS enabled, I've got about a week before this issue occurs. In the past, when I manually fail over, I will reboot the non-active node. I tried something different last week. I failed over to the standby (cpstop &amp;&amp; cpstart) and when the primary was showing 'standby' I failed back over. At some point 2 days later after business hours, the primary stopped passing traffic and didn't fail over.</P><P>I find it hard to believe that I'm the only one experiencing this issue. If anyone has any ideas, I'd greatly appreciate the help.</P><P>&nbsp;</P> Tue, 21 May 2019 14:04:05 GMT John_Pinegar 2019-05-21T14:04:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54035#M4095 <P><STRONG>Appliances:</STRONG> (2) 5400 16GB RAM Gaia R80.10</P><P>I have been experiencing this issue for over 18 months and haven't made progress with TAC. I am currently running R80.10 and was experiencing this issue in R77.30 as well (my upgrade to R80.10 was an attempt to resolve this issue).</P><P><STRONG>Description:</STRONG> When physical memory approaches 16GB of consumption, traffic begins to drop. Running <STRONG>'fw ctl zdebug drop'</STRONG> reveals a lot of <STRONG>'Reason: PSL Drop: TCP segment out of maximum allowed sequence.'</STRONG> errors. If I'm lucky enough to catch things at this point, I can manually fail over to the standby node and the issue is immediately resolved. If I don't catch things at this stage, the primary node will eventually stop passing traffic and does not automatically fail over to the standby node. I cannot get in or out of my network and I cannot remotely manage the gateway without using the lights-out port (I've added lights-out because of this issue). This cluster is in my HQ office and all 26 remote locations are in a VPN community with this cluster (remote locations are 1450 appliances running R77.20.86). When this issue occurs, everyone in the company is impacted.</P><P>QoS definitely has an impact on this issue. Memory usage climbs by 1GB/day with QoS enabled. With QoS disabled, memory usage climbs by about 100MB/day. So with QoS disabled, the issue occurs much less frequently. With QoS enabled, I've got about a week before this issue occurs. In the past, when I manually fail over, I will reboot the non-active node. I tried something different last week. I failed over to the standby (cpstop &amp;&amp; cpstart) and when the primary was showing 'standby' I failed back over. At some point 2 days later after business hours, the primary stopped passing traffic and didn't fail over.</P><P>I find it hard to believe that I'm the only one experiencing this issue. If anyone has any ideas, I'd greatly appreciate the help.</P><P>&nbsp;</P> Tue, 21 May 2019 14:04:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54035#M4095 John_Pinegar 2019-05-21T14:04:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54163#M4107 <P>I suspect the memory leaks are the real issue here. Has any work been done on the TAC case(s) around that?</P> Thu, 23 May 2019 01:15:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54163#M4107 PhoneBoy 2019-05-23T01:15:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54233#M4111 <P>We have performed memory leak tests at TAC's request and not found anything definitive.</P><P>&nbsp;</P> Thu, 23 May 2019 13:04:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-Not-Automatically-Failing-Over/m-p/54233#M4111 John_Pinegar 2019-05-23T13:04:10Z