This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Rob_Gaal
Explorer
‎2017-11-02 01:56 PM

cluster xl start time after reboot

Hi,

We are currently testing a new R80.10 ClusterXL based firewall cluster and notice the following:

When rebooting one of the cluster member the Cluster XL status  of that member is around 5 minutes in down before it moves over to Standby state:  

cphaprob state


Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 192.168.1.2 100% Active
2 (local) 192.168.1.3 0% Down

Local member is in current state since Thu Nov 2 21:22:55 2017


Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 192.168.1.2 100% Active
2 (local) 192.168.1.3 0% Standby

Local member is in current state since Thu Nov 2 21:28:26 2017

Is this normal behavior ?

Kind regards, Rob.

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin
‎2017-11-02 11:18 PM

On the surface, that seems reasonable.

Before a cluster member is actually up and ready to accept traffic, the various processes have to be started, the security policy loaded, and connections from the other active system synced.

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2017-11-03 05:08 AM

Upon the recovery of a cluster member, there is an extended handshake between the two cluster members that may take awhile and includes a full sync.  After a reboot and while the recovered member is still showing "Down", what do these commands show:

cphaprob -a if

cphaprob -ia list

You are likely to see something called a "Recovery Delay" in the output of the second command, which is more or less equivalent to a VRRP Cold Start Delay.  It is also possible the first command will show one or more interfaces as "Down" due to STP delays in your switchports, but that shouldn't last anywhere close to 5 minutes...

See the following for more info:  sk92353: Output of 'cphaprob -ia list' on ClusterXL shows a Critical Device called 'Recovery Delay'

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply