This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TRajkumar
Contributor
Contributor
‎2024-10-17 12:57 PM

Delay when standby member to came up

HI Checkmates

 

 Today i have seen new issue on cluster XL.

Environment: Distribution architecture

Version : R81.20

Hotfix : 84

Cluster members : 2 checkpoint appliances

When i do a cluster failover, secondary member takes at least 10 minutes to process the traffic. That time our all the services are goes down, after 10 minutes everything works fine. i did not observe any drops on log (smart console).

but the cluster state show active/standby states correctly. no delay on this part.

Kindly help me to sort out the new problem.

 

Thanks

Rajkumar T

 

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-10-17 01:06 PM

Can you please send outputs of below when this happens?

Andy

**********************

 

cphaprob roles

cphaprob state

cphaprob -a if

cphaprob -i list

cphaprob -l list

cphaprob syncstat

 

********************************

 

Personally, never seen such an issue myself, even back in R55.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-10-17 03:38 PM

Is there any dynamic routing involved or are there issues with stale ARP entries?

Do the issue occur regardless of which member is active or standby?

CCSM R77/R80/ELITE
0 Kudos
TRajkumar
Contributor
Contributor
‎2024-10-18 09:50 PM
In response to Chris_Atkinson

HI Chris

 There is no dynamic routing.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-10-17 06:58 PM

Have you run any tcpdumps and/or traffic captures to see if the packets are reaching the gateway during the outage period?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-10-18 08:18 AM

Sounds like a Gratuitous ARP issue (which is the default setting), do you have VMAC set on the cluster object?  That should help but if you still experience a 10-12 second delay upon failover even after setting VMAC you'll need to set portfast (NOT disable STP) on the switch ports the firewalls are connected to. 

If everything is working properly, upon failover you should see the following traffic behavior:

Catastrophic Failover (active completely dies/crashes): Outage of up to 2.5 seconds

Non-Catastrophic Failover (active interface failure, clusterXL_admin down, etc.): Outage of up to 300 milliseconds

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-10-18 08:43 AM
In response to Timothy_Hall

@TRajkumar 

Actually, @Timothy_Hall makes super valid point. Can you see if below is enabled or not?

Andy

 

Screenshot_1.png

Best,
Andy
0 Kudos
TRajkumar
Contributor
Contributor
‎2024-10-18 09:51 PM
In response to Timothy_Hall

Dear Timothy

Thanks i will try this.

 

Thanks

Rajkumar T

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-10-19 06:01 AM
In response to TRajkumar

Try to toggle that option and install policy and then do a failover test and see what happens. If no change, naybe open TAC case to further investigate.

Andy

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-10-18 10:41 AM

share fw tab -t connections -s from both members at the same time.

This will show if the connections are synced. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events