Hello Mathew. thanks for your reply. I had not thought about latency between members, so I guess those pings you suggest are a good point to check.
The cluster has been pretty stable since it was deployed, although it would not hurt checking that also at this point. I'll check on those and will let you know. Thanks a lot for for giving me some ideas. Regards On Wed, Aug 24, 2011 at 12:20 AM, Matthew Odendaal <[email protected]>wrote: > Hi Sergio > > It sounds like there is increased latency during the redirection from the > pivot member to the secondary member. > > What is the latency between the members on each interface (including sync)? > Maybe try to ping from one member to the other on each of the affected > interfaces. If the latency is more than a few milliseconds, then that could > explain the problem. > > Also, I assume that the cluster is stable? IF you run "cphaprob stat" > repeatedly for about 10 seconds, do you notice any cluster flaps? > > Thanks > > Matt > > Matthew Odendaal > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > [email protected]] On Behalf Of Sergio Alvarez > Sent: 23 August 2011 11:38 PM > To: [email protected] > Subject: [FW-1] Delay with traffic going through non-pivot member of an LS > Unicast cluster. > > Hello. I have in my hands a very weird issue, that have never seen before, > and was hoping some of you guys might have suggestions about it. > > Scenario: Two-member Load Sharing Unicast cluster running R75.10 over open > servers running SPLAT. > > Cluster has worked like this for months without any problems but today > received report about problems with a new application that requires traffic > to go through the cluster. This new application is running on a DMZ > interface, the following info was provided about it: > > Web Servers en DMZ: IBM HTTP Server version 7.0.0.11 (build cf111021.10) > over AIX 6.1-02 Portal Servers on the intranet: IBM WebSphere Application > Server - ND version 7.0.0.11 (build > cf111021.10) over AIX 6.1-02 > > Traffic comes from web services located in other network segments, through > the firewall and to the DMZ in question. After the deployment of this > application, noticed important delays with traffic through the cluster, but > those appeared some times and some times not. Decided to do some tests, > among those, enabled "fw monitor" captures on both cluster members and found > out when traffic goes through the Pivot member of the Unicast cluster, > everything works perfect, but when it is handled by the other cluster > member, the delays occur. > > Here are multiple pieces of info that might be of help: > > - Traffic goes over TCP ports 10039, 10040, 10050. > - Only affecting this new app. > - No drops are shown in the logs. > - Cluster "advanced" configuration is set to handle load sharing by "IPs" > only and "use sticky decision function" is selected. > - If the cluster is changed to HA instead of LS Unicast operation mode, > everything works perfect > - Checked the cluster status with multiple commands, but one in particular > caused interest: "cphaprob syncstat". > > SK34475 document says the following: > > Lost sync connection (num of events)... SHOULD be 0 - positive value > indicates connectivity problems Not held due to no members............. > SHOULD be 0 - positive value indicates connectivity problem between the > members > > Running the command on both cluster members in fact showed positive values > in both variables (for > example: 2144 in the primary member for "lost sync"). Noticed changing from > LS unicast to HA causes increases on these values, so currently unsure if > the positive value is normal given multiple changes in the cluster operation > mode. > > Given the fact the issue is affecting only one application, it appears to > me it might not be related with a general cluster problem, but thought it > might be useful info. > > Any ideas on how to get this one resolved will be very appreciated. > > Regards > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, email > [email protected]================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
