This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.

Reject

Preferences

ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ Sign In

Products
Learn
Local User Groups
Partners
- Welcome Partners!
More

Products
Learn
Local User Groups
- Upcoming Events
- Americas
- EMEA
  - Czech Republic and Slovakia
  - Denmark
  - Netherlands
  - Germany
  - Sweden
  - United Kingdom and Ireland
  - France
  - Spain
  - Norway
  - Ukraine
  - Baltics and Finland
  - Greece
  - Portugal
  - Austria
  - Kazakhstan and CIS
  - Switzerland
  - Romania
  - Turkey
  - Belarus
  - Belgium & Luxembourg
  - Russia
  - Poland
  - Georgia
  - DACH - Germany, Austria and Switzerland
  - Iberia
  - Africa
  - Adriatics Region
  - Eastern Africa
  - Israel
  - Nordics
  - Middle East and Africa
  - Balkans
  - Italy
  - Bulgaria
- APAC
  - Korea
  - Mongolia
  - Bangalore
  - Greater China
  - Australia/New Zealand
  - Philippines
  - Japan
  - Singapore
  - India
  - Thailand
  - Taiwan
  - Hong Kong
  - Indonesia
Partners
- Welcome Partners!
More
ABOUT CHECKMATES & FAQ
- About CheckMates & FAQ
- Community Guidelines
Sign In
Leaderboard
Events

CheckMates Fest 2025!
Join the Biggest Event of the Year!

Share your Cyber Security Insights
On-Stage at CPX 2025

Learn More

Simplifying Zero Trust Security
with Infinity Identity!

Watch Now

Zero Trust Implementation
Help us with the Short-Term Roadmap

Take the Survey

CheckMates Go:
What's New in R82

LISTEN NOW

Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Search instead for

Did you mean:

Who rated this post

cancel

Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Search instead for

Did you mean:

Muazzam

Contributor

‎2024-10-31 01:38 PM

Mark as New
Bookmark
Subscribe
Mute
Subscribe to RSS Feed
Permalink
Print
Report Inappropriate Content

Connection failure on firewall failover - Out of state packets

Hardware: 23500
OS: GAIA R81.10 Take 94
Active / Standby Setup
ThroughPut - Typical: 250Mbps

Many applications do not survive on cluster failover. They do not recover, only solution is to re-start the application.

At the time of failover, we see hundreds of out of state packets and logs showing first packet isn't syn with push-ack flags.

When we fail from member A to B - we did not see any traffic passing from member B unless the app is re-started.
Checked the # of connections on the connection table and for some IP addresses there is a big difference; Example 800 on active member and 600 on standby member. All TCP based traffic with no UDP component.

Not sure but I believe that this started after we change the clustering method from VRRP to ClusterXL but I may be wrong here.

Questions:
Is the difference in the # of connections in connections table acceptable?
Can this bee the issue explained in SK180253?
Any command to check if the 2 firewalls are out of Sync?

2 Kudos

(1)

Back to post

Who rated this post

FirewallXL

Explorer

Rating date: ‎2024-11-02

About CheckMates

Getting Started & FAQ
Community Guidelines

Learn Check Point

Check Point for Beginners
Check Point Trivia
CheckFlix Videos

Advanced Learning

Check Point Security Masters
Tip of the Week
TechTalks
Training and Certification

Resources

CheckMates Toolbox
Developers (Code Hub)
Product Announcements
Upcoming Events

Non-English Discussions

Español
French
Japanese
Português
Russian
Chinese

YOU DESERVE THE BEST SECURITY

We’re Social. Follow Us