|
|
|
A number of synchronization and ClusterXL capabilities are controlled by means of Security Gateway configuration parameters. Run these commands on the Security Gateway as follows:
|
Parameter is any of the kernel parameters described in the following sections.
Changes to their default values must be implemented on all Cluster Members. Setting different values on Cluster Members can cause configuration problems and possibly connection failures.
Note - All these configuration parameters can be configured to survive a reboot.
Security Gateway configuration parameters that are changed using the fw ctl set int command, do not survive reboot. To make them survive a reboot, you need to add the kernel parameter and its value to the $FWDIR/boot/modules/fwkern.conf file (see sk26202).
In the following instructions, Parameter is any of the parameters described in the following sections.
For general instructions, see Working with Kernel Parameters on Security Gateway.
Important - You must configure all the Cluster Members in the same way.
The following Security Gateway configuration parameters are used to control the clustering and synchronization timers. Changing the default values is not recommended.
Clustering and Synchronization timers
Parameter |
Meaning |
Default Value |
|---|---|---|
|
The frequency of ClusterXL operations on the cluster.
Operations occur every: |
1 |
|
The frequency of sync flush operations on the cluster.
Operations occur every: |
1 |
|
Must be divisible by 10 with no remainders. |
10 |
This section applies only to Load Sharing modes. The reason for blocking new connections is that new connections are the main source of new Delta Synchronization traffic. Delta Synchronization may be at risk, if new traffic continues to be processed at high rate.
A related error message in cluster logs and in the /var/log/messages file is:
Reducing the amount of traffic passing through the Cluster Member protects the Delta Synchronization mechanism. See sk43896: Blocking New Connections Under Load in ClusterXL.
Note that blocking new connections when sync is busy is only recommended for Load Sharing ClusterXL deployments. While it is possible to block new connections in High Availability mode, doing so does not solve inconsistencies in sync, as High Availability mode precludes that from happening. This parameter can be set to survive boot using the mechanism described in How to Configure a Kernel Parameter to Survive Reboot.
Summary table:
|
|
|
2 (except for data connections) |
|
4 (except for data connections) |
|
8 (the control connection should be established or allowed) |
|
16 (the control connection should be established or allowed) |
The Active mode in Logs & Monitor shows open connections through Security Gateways that send logs to the active log file on the Security Management Server. The Active mode can slow down synchronization because the synchronization mechanism randomly drops Active connection updates. This issue generates Logs & Monitor log error messages. For this reason, Check Point does not recommend using the Active mode view for a heavily loaded cluster.
The fwlddist_buf_size parameter controls the size of the synchronization buffer, as expressed in words (one word equals four Bytes). Words are used for synchronization and the Logs & Monitor Active mode. The default buffer size is 16k words. The maximum value is 64k words and the minimum value is 2k words.
You can change the fwlddist_buf_size parameter as necessary and the change is applied only after you restart the member. Make sure that that changed parameter is correct after you restart the member. See How to Configure a Kernel Parameter to Survive Reboot for the procedures.
ClusterXL prevents out-of-state packets in non-sticky connections. It does this by holding packets until a Sync ACK is received from all other active Cluster Members. If for some reason a Sync ACK is not received, the Security Gateway on the Cluster Member will not release the packet, and the connection will not be established.
To find out if held packets are not being released, run the fw ctl pstat command. If the output of the command shows that the Number of Pending Packets is large under normal loads (more than 100 pending packets), and this value does not decrease over time, use the fwldbcast_pending_timeout parameter to reduce the number of pending packets.
Change the value of fwldbcast_pending_timeout from the default value of 50 to a value lower than 50.
The value is in ticks units, where each tick is equal to 0.1 sec, so that 50 ticks are 5 seconds.
The value represents the time, after which packets are released even if Sync ACKs are not received.
When a cluster member comes up after being rebooted (or after cpstart), it has to perform Full Synchronization. As a first step in the Full Synchronization process, it performs a handshake with one of the other active cluster members. Only if this handshake succeeds does the cluster member continue with the Full Synchronization process.
The extended handshake that takes place (by default) exchanges information between cluster members. This information includes version information, information about the installed Check Point products, and can include information which VPN kernel tables are currently active. The extended handshake is unrelated to the exchange of kernel table information that happens later in the Full Synchronization.
All cluster members must have the same Check Point products and versions installed. The extended handshake identifies when different products are installed on the cluster members. When different products are installed, a console warning and a log message are issued.
In order to support backward compatibility, it is possible to change the behavior of the extended handshake by means of the following Gateway Configuration Parameters. How to edit these parameters is explained in Advanced Cluster Configuration:
