Re: [FW-1] Cluster XL Coming Up Swapped

Thu, 14 Jun 2007 11:13:34 -0700 

I personally haven't needed to make this change, but per
"CheckPoint_R65_KnownLimitation_Supplement.pdf" page 48:

"In certain cases, installing policy on a cluster member may cause its state
to change and a failover may subsequently occur. To prevent this situation,
modify the firewall global parameter fwha_freeze_state_machine_timeout. This
parameter sets the number of seconds during policy installation in which no
state changes (including the "false" failover) will occur. Set this
parameter to the shortest period which eliminates the issue; the recommended
value is 30 seconds."


> -----Original Message-----
> From: Mailing list for discussion of Firewall-1 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Crist Clark
> Sent: Wednesday, June 13, 2007 5:16 PM
> To: [email protected]
> Subject: [FW-1] Cluster XL Coming Up Swapped
> 
> We've got some Cluster XL setups consisting of a failover
> pair. One cluster member is preferred over the other. We
> want to be on this primary member unless there is some
> trouble with it. The ClusterXL docs call this "Primary Up"
> mode.
> 
> The problem we are having is that sometimes when we push
> out a policy to the cluster, the secondary member comes
> up as the "active" member with the primary in "standby."
> They were in the correct configuration, the reverse, before
> the policy gets pushed. There are no indications of failures
> (a "member down" message) in the logs. Just each one report
> itself up, as always occurs at a policy install.
> 
> Anyone else seeing this? Ideas on how to fix it?
> 
> Which brings me to another question. There is the radio
> button to switch back to the preferred cluster member
> whenever it is available. I assume we'd automagically
> flip back to the primary when the above occurs if we
> turn that on, but we're hesitant. The concern is some
> failure mode where the live machine reports a problem,
> but becomes available when offline. You end up with the
> machines flip-flopping. Not good. The documentation I've
> found doesn't mention any features to dampen something
> like that. Anyone know if those safety belts are built
> in? Any good or bad experiences with the "Primary Up"
> mode?
> 
> BĀ¼information contained in this e-mail message is 
> confidential, intended
> only for the use of the individual or entity named above. If 
> the reader
> of this e-mail is not the intended recipient, or the employee or agent
> responsible to deliver it to the intended recipient, you are hereby
> notified that any review, dissemination, distribution or 
> copying of this
> communication is strictly prohibited. If you have received this e-mail
> in error, please contact [EMAIL PROTECTED] 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailinghtml
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
> 



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to