|
|
|
Included Topics |
Description The cphaconf command configures ClusterXL.
|
Important - Running this command is not recommended. It should be run automatically, only by the Security Gateway or by Check Point support. The only exception to this rule is running this command with |
Usage
cphaconf [-i <computer id>] [-p <policy id>] [-b <db_id>] [-n <ClusterXL num>]
[-c <ClusterXL size>] [-m <service >] [-t <secured IF 1>...] start
cphaconf [-t <secured IF 1>...] [-d <disconnected IF 1>...] add
cphaconf clear-secured
cphaconf clear-disconnected
cphaconf stop
cphaconf init
cphaconf forward <on/off>
cphaconf debug <on/off>
cphaconf set_ccp <broadcast/multicast>
cphaconf mc_reload
cphaconf debug_data
cphaconf stop_all_vs
Syntax
Parameter |
Description |
|---|---|
|
Sets whether ClusterXL Control Protocol (CCP) packets should be sent with a broadcast or multicast destination MAC address. The default behavior is multicast. The setting created using this command will survive reboot. Note: The same value (either broadcast or multicast) should be set on all ClusterXL members. |
|
Stops the ClusterXL product on all Virtual Systems on a VSX Gateway. |
Running cphastart on a cluster member activates ClusterXL on the member. It does not initiate full synchronization. cpstart is the recommended way to start a cluster member.
Running cphastop on a cluster member stops the cluster member from passing traffic. State synchronization also stops. It is still possible to open connections directly to the cluster member.
These commands should only be run by the Security Gateway, and not directly by the user.
Method |
To Stop ClusterXL |
To Start ClusterXL |
|---|---|---|
Run:
and:
|
Effect:
|
Effect:
|
Recommended method:
|
|
|
In SmartView Monitor:
|
|
|
In Load Sharing mode, the cluster distributes the load between the remaining active members.
In HA mode, the cluster fails over to next active member with the highest priority.
For more on initiating manual failovers, see: sk55081
To monitor the synchronization mechanism on ClusterXL or third-party OPSEC certified clustering products:
fw ctl pstatThe output of this command is a long list of statistics for the Security Gateway. At the end of the list there is a section called "Synchronization" which applies per Cluster member. Many of the statistics are counters that can only increase. A typical output is as follows:
|
The meaning of each line in this printout is explained below.
|
This line must appear if synchronization is configured. It indicates that new sync is working (as opposed to old sync from version 4.1).
|
If sync is unable to either send or receive packets, there is a problem. Sync may be temporarily unable to send or receive packets during boot, but this should not happen during normal operation. When performing full sync, sync packet reception may be interrupted.
|
The total number of sync packets sent is shown. Note that the total number of sync packets is non-zero and increasing.
The cluster member sends a retransmission request when a sync packet is received out of order. This number may increase when under load.
Acks are the acknowledgments sent for received sync packets, when an acknowledgment was requested by another cluster member.
|
The total number of sync packets received is shown. The queued packets figure increases when a sync packet is received that complies with one of the following conditions:
This figure never decreases. A non-zero value does not indicate a problem.
The dropped by net number may indicate network congestion. This number may increase slowly under load. If this number increases too fast, a networking error may be interfering with the sync protocol. In that case, check the network.
|
This message refers to the number of received retransmission requests, in contrast to the transmitted retransmission requests in the section above. When this number grows very fast, it may indicate that the load on the member is becoming too high for sync to handle.
Acks refer to the number of acknowledgments received for the "cb request" sync packets, which are sync packets with requests for acknowledgments.
Retrans reqs for illegal seq displays the number of retransmission requests for packets which are no longer in this member possession. This may indicate a sync problem.
Callback statistics relate to received packets that involve Flush and Ack. This statistic only appears for a non-zero value.
The callback average delay is how much the packet was delayed in this member until it was released when the member received an ACK from all the other members. The delay happens because packets are held until all other cluster members have acknowledged reception of that sync packet.
This figure is measured in terms of numbers of packets. Normally this number should be small (~1-5). Larger numbers may indicate an overload of sync traffic, which causes connections that require sync acknowledgments to suffer slight latency.
|
In a heavily loaded system, the cluster member may drop synchronization updates sent from another cluster member.
|
Delta Sync memory usage only appears for a non-zero value. Delta sync requires memory only while full sync is occurring. Full sync happens when the system goes up- after reboot for example. At other times, Delta sync requires no memory because Delta sync updates are applied immediately. For information about Delta sync see How State Synchronization Works.
|
Number of Pending packets currently held only appears for a non-zero value. ClusterXL prevents out-of-state packets in non-sticky connections. It does this by holding packets until a SYN-ACK is received from all other active cluster members. If for some reason a SYN-ACK is not received, the Security Gateway on the cluster member will not release the packet, and the connection will not be established.
Packets released due to timeout only appears for a non-zero value. If the Number of Pending Packets is large (more than 100 pending packets), and the number of Packets released due to timeout is small, you should take action to reduce the number of pending packets. To solve this problem, see Reducing the Number of Pending Packets.