Mell, This is not a cold reboot. We did a test by running FTP thru the primary and pulled out the cable so that it fails over to secondary (which it did in 4 secs) but when we plugged the cable back in the primary again, it took approx 20 secs to failback from secondary to primary and FTP stops.
Failover from Master to Secondary - 4 secs Failover from Secondary back to Primary - 20 secs or more Well we did try the cold start delay (30, 60, 120 secs) but didnt work though. Anyhow, we will try again. There's a resolution from Nokia on this and we tried it but couldnt get it to solve the problem. Any other config that we shud try? Thank you. Ay ----- Original Message ----- From: "Mellor, Derin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 10, 2002 3:23 PM Subject: Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > Is this a cold reboot? > > VRRP is fairly slow recovering, ~20s. > > If the Master recovers VRRP will immediately switch all session to flow > through the Master. This can cause problems as CP might not have > finished installing (i.e. it has the default filter loaded, > synchronization of connection table is not complete). > > The effect is that existing connections move back to the Master. Until > the correct security policy and synchonization is loaded the packets > will be at best dropped. Normally, once CP is full initialized and > synchronized the sessions continue - this will cause a glitch and > possibly dump connections. > > From my testing it could take ~45s for CP to initialize and synchronize > connection tables. To solve this problem you need to hold VRRP. In the > VRRP configuration page configure VRRP Cold Start Delay to 60s (this > will ensure that CP initializes and synchronizes). This effectively > delays VRRP from starting for the specified time period. > > Assuming this is your issue, the recover should be sleamless. > > Hope this of use. > > Derin > > > > -----Original Message----- > From: Alan Yeow [mailto:[EMAIL PROTECTED]] > Sent: 09 December 2002 07:34 > To: [EMAIL PROTECTED] > Subject: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > > > Hello all, > > Anyone experienced problems when secondary fails back to primary fw? > > Problem is, it takes 15-30 seconds to failback from secondary to > primary. Secondly, after failing back from secondary to primary, > existing FTP connections never continues. > > > Here's a brief scenario on what's going on > ================================================= > 1. VRRP alone on Nokia is working fine. > 2. Primary fails over to secondary is working fine. > - Primary is able to fail to secondary within 2-4 timeouts > - Ping continues with only 2-4 timeouts > - FTP stops for fraction of time and its able to continue > > BUT > > 3. When failing back from secondary to primary it takes approx > 15 - 30 request timeouts. > - Ping session stops with 15-30 timeouts before replies comes in > - FTP stops and never resumes connection even after the ping > replies. > (that means users will need to reconnect and download again) > > > Any ideas or solutions to this? > > Thanks > Alan > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > <FONT SIZE=1>********************************************************************* * > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender immediately and then delete from your system. > > This footnote also confirms that this email message has been swept > for the presence of known computer viruses. > > **********************************************************************</FONT > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
