This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rob_Gaal
Explorer
‎2017-11-02 01:56 PM

cluster xl start time after reboot

Hi,

We are currently testing a new R80.10 ClusterXL based firewall cluster and notice the following:

When rebooting one of the cluster member the Cluster XL status  of that member is around 5 minutes in down before it moves over to Standby state:  

cphaprob state


Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 192.168.1.2 100% Active
2 (local) 192.168.1.3 0% Down

Local member is in current state since Thu Nov 2 21:22:55 2017


Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 192.168.1.2 100% Active
2 (local) 192.168.1.3 0% Standby

Local member is in current state since Thu Nov 2 21:28:26 2017

Is this normal behavior ?

Kind regards, Rob.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2017-11-02 11:18 PM

On the surface, that seems reasonable.

Before a cluster member is actually up and ready to accept traffic, the various processes have to be started, the security policy loaded, and connections from the other active system synced.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-11-03 05:08 AM

Upon the recovery of a cluster member, there is an extended handshake between the two cluster members that may take awhile and includes a full sync.  After a reboot and while the recovered member is still showing "Down", what do these commands show:

cphaprob -a if

cphaprob -ia list

You are likely to see something called a "Recovery Delay" in the output of the second command, which is more or less equivalent to a VRRP Cold Start Delay.  It is also possible the first command will show one or more interfaces as "Down" due to STP delays in your switchports, but that shouldn't last anywhere close to 5 minutes...

See the following for more info:  sk92353: Output of 'cphaprob -ia list' on ClusterXL shows a Critical Device called 'Recovery Delay'

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events