https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8767#M471 <HTML><HEAD></HEAD><BODY><P>Upon the recovery of a cluster member, there is an extended handshake between the two cluster members that may take awhile and includes a full sync.&nbsp; After a reboot and while the recovered member is still showing "Down", what do these commands show:</P><P></P><P>cphaprob -a if</P><P>cphaprob -ia list</P><P></P><P>You are likely to see something called a "Recovery Delay" in the output of the second command, which is more or less equivalent to a VRRP Cold Start Delay.&nbsp; It is also possible the first command will show one or more interfaces as "Down" due to STP delays in your switchports, but that shouldn't last anywhere close to 5 minutes...</P><P></P><P>See the following for more info:&nbsp; <A class="" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92353&amp;partition=Advanced&amp;product=VSX," style="max-width: 840px;">sk92353: Output of 'cphaprob -ia list' on <STRONG>ClusterXL</STRONG> shows a Critical Device called 'Recovery Delay'</A></P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Fri, 03 Nov 2017 12:08:24 GMT Timothy_Hall 2017-11-03T12:08:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8765#M469 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We are currently testing a new R80.10 ClusterXL based firewall cluster and notice the following:</P><P>When rebooting one of the cluster member&nbsp;the Cluster XL status&nbsp; of that member is around 5 minutes in down before it moves over to Standby state:&nbsp;&nbsp;</P><P></P><P>cphaprob state</P><P><BR />Cluster Mode: High Availability (Active Up) with IGMP Membership</P><P>Number Unique Address Assigned Load State</P><P>1 192.168.1.2 100% Active<BR />2 (local) 192.168.1.3 0% Down</P><P>Local member is in current state since Thu Nov 2 21:22:55 2017</P><P></P><P><BR />Cluster Mode: High Availability (Active Up) with IGMP Membership</P><P>Number Unique Address Assigned Load State</P><P>1 192.168.1.2 100% Active<BR />2 (local) 192.168.1.3 0% Standby</P><P>Local member is in current state since Thu Nov 2 21:28:26 2017</P><P></P><P>Is this normal behavior ?</P><P></P><P>Kind regards, Rob.</P></BODY></HTML> Thu, 02 Nov 2017 20:56:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8765#M469 Rob_Gaal 2017-11-02T20:56:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8766#M470 <HTML><HEAD></HEAD><BODY><P>On the surface, that seems reasonable.</P><P>Before a cluster member is actually up and ready to accept traffic, the various processes have to be started, the security policy loaded, and connections from the other active system synced.</P></BODY></HTML> Fri, 03 Nov 2017 06:18:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8766#M470 PhoneBoy 2017-11-03T06:18:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8767#M471 <HTML><HEAD></HEAD><BODY><P>Upon the recovery of a cluster member, there is an extended handshake between the two cluster members that may take awhile and includes a full sync.&nbsp; After a reboot and while the recovered member is still showing "Down", what do these commands show:</P><P></P><P>cphaprob -a if</P><P>cphaprob -ia list</P><P></P><P>You are likely to see something called a "Recovery Delay" in the output of the second command, which is more or less equivalent to a VRRP Cold Start Delay.&nbsp; It is also possible the first command will show one or more interfaces as "Down" due to STP delays in your switchports, but that shouldn't last anywhere close to 5 minutes...</P><P></P><P>See the following for more info:&nbsp; <A class="" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92353&amp;partition=Advanced&amp;product=VSX," style="max-width: 840px;">sk92353: Output of 'cphaprob -ia list' on <STRONG>ClusterXL</STRONG> shows a Critical Device called 'Recovery Delay'</A></P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Fri, 03 Nov 2017 12:08:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cluster-xl-start-time-after-reboot/m-p/8767#M471 Timothy_Hall 2017-11-03T12:08:24Z