Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Petr_Hantak
Advisor
Advisor
Jump to solution

Number of concurrent connections shown in CPView Utility depends on the status of SecureXL

I have question about number of concurrent connections shown in CPView Utility. 

CPView utility is nice and for most of my colleagues very easy understable utility for quick performance check. Usually we are running cluster solution and I must admit that it is quite confusing what we can see on Active and Standby nodes about connections. When SecureXL is active it shows only active connections on STANDBY node but not all synchronized connection summary from connection table. 

Active node:

ACTIVE-member concurent connections

Standby node: 

STANDBY-member concurent connections

This situation is correct according to sk103496:

Symptoms
  • The number of concurrent connections shown in CPView Utility is less than shown in the output of 'fw ctl pstat' or in the output of 'fw tab -t connections -s' command.

  • The number of concurrent connections shown in CPView Utility differs depending on whether SecureXL is enabled or disabled.

Cause

The command 'fwaccel stats' (counter "C total conns") shows the connections in SecureXL FWAccel module.
The command 'fw ctl pstat' (counter "Concurrent Connections") shows the connections in FW module.

CPView Utility is designed to show the actual amount of connections that currently pass through the Security Gateway. This counter is adjusted according to which Check Point kernel module is handling the traffic:

  • When SecureXL is enabled, CPView Utility shows the connections from the SecureXL FWAccel module (run the command fwaccel stats | grep "C total conns")
  • When SecureXL is disabled, CPView Utility shows the connections from the FW module (run the command fw tab -t connections -s and refer to #VALS column)

 

The difference in the number of connections when SecureXL is enabled or disabled is due to the fact that:

  • SecureXL SIM module does not show certain connections - e.g., ClusterXL synchronization connections.
  • FW module does not show certain connections - e.g., Delayed connections.

In addition, the big difference between the output of 'fwaccel conns -s' command and output of 'fwaccel stats | grep "C total conns"' is due to the fact that the command 'fwaccel conns -s' shows both Client-to-Server and Server-to-Client connections, while the command 'fwaccel stats grep "C total conns"'| compresses these connections into one connection.

Solution

No fix is required; the system is functioning as designed.

At least for me it makes sense to see concurent connections equal in CPView for both cluster members. In that case we can see easily that it is synchronized.

Do you know anyone what is behind current design?

Do you prefer to keep it as is or change it to equal view?

1 Solution

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee

Actually that SK does not apply to your question. Cpview is just showing ACTIVE concurrent connections running through your firewall. And since standby firewall will only have a handful of active connections (to/from itself) then output is correct. If you want to see that connections table is more or less the same in the cluster just use

fw tab -t connections -s

that will be fairly close on both.

Cpview will show combined values from fwaccel stat

Smiley Happy

View solution in original post

2 Replies
Kaspars_Zibarts
Employee Employee
Employee

Actually that SK does not apply to your question. Cpview is just showing ACTIVE concurrent connections running through your firewall. And since standby firewall will only have a handful of active connections (to/from itself) then output is correct. If you want to see that connections table is more or less the same in the cluster just use

fw tab -t connections -s

that will be fairly close on both.

Cpview will show combined values from fwaccel stat

Smiley Happy

Petr_Hantak
Advisor
Advisor

Yes, you are perfectly right.

   fw tab -t connections -s

or

   cphacu stat

are right choices for sure. I simply supposed that the Cpview is reading always "fw tab -t connections -s" and then it should be similar on both cluster nodes. But it is not true or at least in normal case when SecureXL is active. It is good to know that the Cpview is not right shortcut to check sync of connection table and CLI  is right way.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events