Thanks for a quick reply! 🙂

Customer is very strict on any software to install as it controls important national infrastructure so any third party tool has to go through review first unfortunately so will take a while before i could run it 😕

Performance shouldnt be an issue as we went from 5600 (8 cores) to 7000 (16 cores, 32 virtual) and the issues started immidiately started after shifting from 5600 R81.10 -> 7000 R81.20 T26, even switchports are the same as before so i definately suspect a bug 

I can tell you based on all my testing in the lab with jumbo 41, its FANTASTIC! I find traffic is better, cpu/memory as well, also policy push is faster than before.

Definitely something to consider, but, you can certainly also work with TAC to get better understanding as to what could be causing this.

Kind regards,

Andy

Im really eager to try it out myself, took us a month to get a maintenance window to do this change, do know ill be able to get an emergency change for jumbo patching but want to make sure we dont also need a portfix at the same time.Hopefully TAC will reply soon 🙂

Lets hope so. I also see take 41 is indeed recommended take at the moment, so would not surprise me if they suggest it to you.

Best regards,

Andy

During investigations with TAC we found a strange mismatch on a kernel parameter.

We did not create/modify the fwkern.conf file ourselves but find the following:

####
[Expert@fw-vsxnode1:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_enable_state_machine_by_vs=1
fwha_active_standby_bridge_mode=1
fwmultik_sync_processing_enabled=0
####

When checking the "fwmultik_sync_processing_enabled" parameter it shows as enabled.

####
[Expert@fw-vsxnode1:0]# fw ctl get int fwmultik_sync_processing_enabled
fwmultik_sync_processing_enabled =1
####

The gateways havent been rebooted since after the implementation/reconfigure process where they were both rebooted.
Not sure why the kernel parameter differs from fwkern.conf but it has clearly been added here but not loaded.

sk105762 is also somewhat confusing, under instructions it says

"Note: Beginning in Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177) and on all GA versions starting R81, this mode is supported when the Security Gateway is configured in VSX/USFW mode. In a cluster environment, this procedure does not have to be performed on all members of the cluster because it enables monitoring only
"

Hoping that the boot and/or T41 will also fix this, but most importantly solve the failover issue without introducing new bugs 🙂

I have high hopes, as they say. Take 41 seems super stable, so Im sure it will help. Just make sure right values are indeed set in fwkern.conf file, so the sync processing parameter is supposed to equal 1 and not 0, so should be like this:

[Expert@fw-vsxnode1:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_enable_state_machine_by_vs=1
fwha_active_standby_bridge_mode=1
fwmultik_sync_processing_enabled=1

Let us know how it goes mate.

Andy

Thanks! 🙂

Is the "fwmultik_sync_processing_enabled" supposed to equal 1 and not 0?

I checked another R81.20 VSX installation and here it was "0" in both fwkern.conf and with "fw ctl  get"
Also checked another R81.10 VSX installation, and here there were nothing in fwkern.conf but "fw ctl get" showed it was set to 0.

On this installation its set to 0 in fwkern.conf (not by me) but to "1" in kernel 😄

Sorry, geesh, I am like chatGPT today, all over the place lol

You are right, what you sent is correct, just needs a reboot to update properly. Seems like someone set it on a fly, which would explain the output of other command.

Andy

Haha, Great, was getting even more confused here 😄

Nobody else touches this cluster but me so the parameter has to have been set this way in fwkern.conf automagically  but for some reason not loaded correctly.  Crossing fingers for tonight 🙂

Yes, that makes sense...dont worry mate, only one confused here is me 😄

I am positive about tonight that all will go well.

Andy

Awesome news @PetterD , glad its fixed!

Andy