[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10

Is this a cold reboot?

VRRP is fairly slow recovering, ~20s.

If the Master recovers VRRP will immediately switch all session to flow
through the Master. This can cause problems as CP might not have
finished installing (i.e. it has the default filter loaded,
synchronization of connection table is not complete).

The effect is that existing connections move back to the Master. Until
the correct security policy and synchonization is loaded the packets
will be at best dropped. Normally, once CP is full initialized and
synchronized the sessions continue - this will cause a glitch and
possibly dump connections.

From my testing it could take ~45s for CP to initialize and synchronize
connection tables. To solve this problem you need to hold VRRP. In the
VRRP configuration page configure VRRP Cold Start Delay to 60s (this
will ensure that CP initializes and synchronizes). This effectively
delays VRRP from starting for the specified time period.

Assuming this is your issue, the recover should be sleamless.

Hope this of use.

Derin



-----Original Message-----
From: Alan Yeow [mailto:[email protected]]
Sent: 09 December 2002 07:34
To: [email protected]
Subject: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10


Hello all,

Anyone experienced problems when secondary fails back to primary fw?

Problem is, it takes 15-30 seconds to failback from secondary to
primary. Secondly, after failing back from secondary to primary,
existing FTP connections never continues.


Here's a brief scenario on what's going on
=================================================
1. VRRP alone on Nokia is working fine.
2. Primary fails over to secondary is working fine.
    - Primary is able to fail to secondary within 2-4 timeouts
    - Ping continues with only 2-4 timeouts
    - FTP stops for fraction of time and its able to continue

BUT

3. When failing back from secondary to primary it takes approx
    15 - 30 request timeouts.
    - Ping session stops with 15-30 timeouts before replies comes in
    - FTP stops and never resumes connection even after the ping
replies.
       (that means users will need to reconnect and download again)


Any ideas or solutions to this?

Thanks
Alan

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


<FONT SIZE=1>**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.

This footnote also confirms that this email message has been swept
for the presence of known computer viruses.

**********************************************************************</FONT>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================