Re: [FW-1] Cluster XL Coming Up Swapped

Fri, 15 Jun 2007 10:44:45 -0700 

You checked for it by running 'fw ctl get int
fwha_freeze_state_machine_timeout' on your firewall module?  sk32488 states
it works version "NGX" and since R60 is a NGX version I assumed it would've
worked.  Of course, I wouldn't be surprised to find a typo in
secureknowledge either. :)  I only have R65 here, so it could be new in R65.





> -----Original Message-----
> From: Mailing list for discussion of Firewall-1 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Crist Clark
> Sent: Friday, June 15, 2007 12:04 PM
> To: [email protected]
> Subject: Re: [FW-1] Cluster XL Coming Up Swapped
> 
> >>> On 6/14/2007 at 11:02 AM, Jim Johnson <[EMAIL PROTECTED]> wrote:
> > I personally haven't needed to make this change, but per
> > "CheckPoint_R65_KnownLimitation_Supplement.pdf" page 48:
> > 
> > "In certain cases, installing policy on a cluster member may cause
> its state
> > to change and a failover may subsequently occur. To prevent this
> situation,
> > modify the firewall global parameter
> fwha_freeze_state_machine_timeout. This
> > parameter sets the number of seconds during policy installation in
> which no
> > state changes (including the "false" failover) will occur. Set this
> > parameter to the shortest period which eliminates the issue; the
> recommended
> > value is 30 seconds."
> 
> Can't find that on these boxes. They are R60. Guess that
> came into existence since then.
> 
> But thanks, that would be exactly what I'm looking for.
> 
> >> -----Original Message-----
> >> From: Mailing list for discussion of Firewall-1 
> >> [mailto:[EMAIL PROTECTED] On Behalf 
> >> Of Crist Clark
> >> Sent: Wednesday, June 13, 2007 5:16 PM
> >> To: [email protected] 
> >> Subject: [FW-1] Cluster XL Coming Up Swapped
> >> 
> >> We've got some Cluster XL setups consisting of a failover
> >> pair. One cluster member is preferred over the other. We
> >> want to be on this primary member unless there is some
> >> trouble with it. The ClusterXL docs call this "Primary Up"
> >> mode.
> >> 
> >> The problem we are having is that sometimes when we push
> >> out a policy to the cluster, the secondary member comes
> >> up as the "active" member with the primary in "standby."
> >> They were in the correct configuration, the reverse, before
> >> the policy gets pushed. There are no indications of failures
> >> (a "member down" message) in the logs. Just each one report
> >> itself up, as always occurs at a policy install.
> >> 
> >> Anyone else seeing this? Ideas on how to fix it?
> >> 
> >> Which brings me to another question. There is the radio
> >> button to switch back to the preferred cluster member
> >> whenever it is available. I assume we'd automagically
> >> flip back to the primary when the above occurs if we
> >> turn that on, but we're hesitant. The concern is some
> >> failure mode where the live machine reports a problem,
> >> but becomes available when offline. You end up with the
> >> machines flip-flopping. Not good. The documentation I've
> >> found doesn't mention any features to dampen something
> >> like that. Anyone know if those safety belts are built
> >> in? Any good or bad experiences with the "Primary Up"
> >> mode?
> 
> 
> BĀ¼information contained in this e-mail message is 
> confidential, intended
> only for the use of the individual or entity named above. If 
> the reader
> of this e-mail is not the intended recipient, or the employee or agent
> responsible to deliver it to the intended recipient, you are hereby
> notified that any review, dissemination, distribution or 
> copying of this
> communication is strictly prohibited. If you have received this e-mail
> in error, please contact [EMAIL PROTECTED] 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
> 



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to