I have question about number of concurrent connections shown in CPView Utility.
CPView utility is nice and for most of my colleagues very easy understable utility for quick performance check. Usually we are running cluster solution and I must admit that it is quite confusing what we can see on Active and Standby nodes about connections. When SecureXL is active it shows only active connections on STANDBY node but not all synchronized connection summary from connection table.
This situation is correct according to sk103496:
The command '
fwaccel stats' (counter "
C total conns") shows the connections in SecureXL FWAccel module.
The command '
fw ctl pstat' (counter "
Concurrent Connections") shows the connections in FW module.
CPView Utility is designed to show the actual amount of connections that currently pass through the Security Gateway. This counter is adjusted according to which Check Point kernel module is handling the traffic:
- When SecureXL is enabled, CPView Utility shows the connections from the SecureXL FWAccel module (run the command fwaccel stats | grep "C total conns")
- When SecureXL is disabled, CPView Utility shows the connections from the FW module (run the command fw tab -t connections -s and refer to #VALS column)
The difference in the number of connections when SecureXL is enabled or disabled is due to the fact that:
- SecureXL SIM module does not show certain connections - e.g., ClusterXL synchronization connections.
- FW module does not show certain connections - e.g., Delayed connections.
In addition, the big difference between the output of '
fwaccel conns -s' command and output of '
fwaccel stats | grep "C total conns"' is due to the fact that the command '
fwaccel conns -s' shows both Client-to-Server and Server-to-Client connections, while the command '
fwaccel stats grep "C total conns"'| compresses these connections into one connection.Solution
No fix is required; the system is functioning as designed.
At least for me it makes sense to see concurent connections equal in CPView for both cluster members. In that case we can see easily that it is synchronized.
Do you know anyone what is behind current design?
Do you prefer to keep it as is or change it to equal view?