https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230079#M44275 <P>HI Checkmates</P><P>&nbsp;</P><P>&nbsp;Today i have seen new issue on cluster XL.</P><P>Environment: Distribution architecture</P><P>Version : R81.20</P><P>Hotfix : 84</P><P>Cluster members : 2 checkpoint appliances</P><P>When i do a cluster failover, secondary member takes at least 10 minutes to process the traffic. That time our all the services are goes down, after 10 minutes everything works fine. i did not observe any drops on log (smart console).</P><P>but the cluster state show active/standby states correctly. no delay on this part.</P><P>Kindly help me to sort out the new problem.</P><P>&nbsp;</P><P>Thanks</P><P>Rajkumar T</P><P>&nbsp;</P> Thu, 17 Oct 2024 19:57:22 GMT TRajkumar 2024-10-17T19:57:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230079#M44275 <P>HI Checkmates</P><P>&nbsp;</P><P>&nbsp;Today i have seen new issue on cluster XL.</P><P>Environment: Distribution architecture</P><P>Version : R81.20</P><P>Hotfix : 84</P><P>Cluster members : 2 checkpoint appliances</P><P>When i do a cluster failover, secondary member takes at least 10 minutes to process the traffic. That time our all the services are goes down, after 10 minutes everything works fine. i did not observe any drops on log (smart console).</P><P>but the cluster state show active/standby states correctly. no delay on this part.</P><P>Kindly help me to sort out the new problem.</P><P>&nbsp;</P><P>Thanks</P><P>Rajkumar T</P><P>&nbsp;</P> Thu, 17 Oct 2024 19:57:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230079#M44275 TRajkumar 2024-10-17T19:57:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230080#M44276 <P>Can you please send outputs of below when this happens?</P> <P>Andy</P> <P>**********************</P> <P>&nbsp;</P> <P>cphaprob roles</P> <P>cphaprob state</P> <P>cphaprob -a if</P> <P>cphaprob -i list</P> <P>cphaprob -l list</P> <P>cphaprob syncstat</P> <P>&nbsp;</P> <P>********************************</P> <P>&nbsp;</P> <P>Personally, never seen such an issue myself, even back in R55.</P> Thu, 17 Oct 2024 20:06:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230080#M44276 the_rock 2024-10-17T20:06:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230087#M44279 <P>Is there any dynamic routing involved or are there issues with stale ARP entries?</P> <P>Do the issue occur regardless of which member is active or standby?</P> Thu, 17 Oct 2024 22:38:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230087#M44279 Chris_Atkinson 2024-10-17T22:38:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230089#M44280 <P>Have you run any tcpdumps and/or traffic captures to see if the packets are reaching the gateway during the outage period?</P> Fri, 18 Oct 2024 01:58:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230089#M44280 emmap 2024-10-18T01:58:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230161#M44294 <P>Sounds like a Gratuitous ARP issue (which is the default setting), do you have VMAC set on the cluster object?&nbsp; That should help but if you still experience a 10-12 second delay upon failover even after setting VMAC you'll need to set portfast (NOT disable STP) on the switch ports the firewalls are connected to.&nbsp;</P> <P>If everything is working properly, upon failover you should see the following traffic behavior:</P> <P class="lia-indent-padding-left-30px">Catastrophic Failover (active completely dies/crashes): Outage of up to 2.5 seconds</P> <P class="lia-indent-padding-left-30px">Non-Catastrophic Failover (active interface failure, clusterXL_admin down, etc.): Outage of up to 300 milliseconds</P> Fri, 18 Oct 2024 15:19:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230161#M44294 Timothy_Hall 2024-10-18T15:19:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230164#M44295 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/84623">@TRajkumar</a>&nbsp;</P> <P>Actually,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;makes super valid point. Can you see if below is enabled or not?</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28118iAAB09199AD2394EE/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Fri, 18 Oct 2024 15:43:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230164#M44295 the_rock 2024-10-18T15:43:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230169#M44296 <P>share fw tab -t connections -s from both members at the same time.</P> <P>This will show if the connections are synced.&nbsp;</P> Fri, 18 Oct 2024 17:41:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230169#M44296 Lesley 2024-10-18T17:41:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230196#M44301 <P>HI Chris</P><P>&nbsp;There is no dynamic routing.</P> Sat, 19 Oct 2024 04:50:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230196#M44301 TRajkumar 2024-10-19T04:50:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230197#M44302 <P>Dear Timothy</P><P>Thanks i will try this.</P><P>&nbsp;</P><P>Thanks</P><P>Rajkumar T</P> Sat, 19 Oct 2024 04:51:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230197#M44302 TRajkumar 2024-10-19T04:51:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230200#M44304 <P>Try to toggle that option and install policy and then do a failover test and see what happens. If no change, naybe open TAC case to further investigate.</P> <P>Andy</P> Sat, 19 Oct 2024 13:01:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Delay-when-standby-member-to-came-up/m-p/230200#M44304 the_rock 2024-10-19T13:01:39Z