This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Laudensla
Participant
‎2018-01-10 10:53 AM

Question about Cluster fail-over and connections

Hello,

We have two 15400 gateways in Active/Standby Cluster XL configuration with the FW, IPS, URL Filtering, App Control,
AV, AB, and VPN blades active and R77.30. We have several connections that run during the day for significant file transfers to various backup systems. These connections establish under the PXL path as I haven't worked out which blade is preventing the SecureXL path yet for these transfers (I have exclusions set in IPS and AV blades, but need to test an App Control/URL Filtering change tomorrow).

We observed that if a cluster fail-over occurs, the connection is moves onto the secondary member under the SecureXL path and the transfer speed increases 2-4x and CPU usage drops from 95+ percent to <50%. We were wondering if anyone else has seen this behavior and is supposed to be normal? If the connection is terminated and restarted, it will come up under the PXL path.

Thanks,

Scott L.

0 Kudos
2 Replies
Kaspars_Zibarts
Authority
Authority
‎2018-01-11 12:36 PM

Wow, that's an interesting one! https://community.checkpoint.com/people/thalld401179d-0d5b-369d-a0f2-387c3ef54533‌ question! I'm keen to hear the answer

0 Kudos
Scott_Laudensla
Participant
‎2018-01-16 05:47 AM

I think I found the answer to my own question.

Partial connection - Connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table (versions R70 and above).

  • In Cluster HA - partial connections are offloaded when member becomes Active

This is found in SK98348  Best Practices - Security Gateway Performance. I interpret this to mean that PXL connections are moved to SXL connections upon fail-over to maintain connection state.

We just inadvertently ran into this as we were moving tens of TB of data and the connection eventually caused the gateway to run out of memory and fail-over (all 24 GB). 

 

From testing last week, we were able to figure out how to keep this connection out of the App Control blade, thanks to posts from Tim in the PXL Medium path thread. We are still working on the Threat Prevention blade yet for exclusion as this blade still causes the connection to drop to PXL. We still have a few things to try yet.

As a side note, our memory issue is probably because of running old Jumbo 216. I see they fixed some issues in the newer versions for App Control with memory usage. The memory issue is not present if the connection is running SXL path.