Viewing Cluster Correction Statistics

Background

The Cluster Correction Layer Proprietary Check Point mechanism that deals with asymmetric connections in Check Point cluster. The CCL provides connections stickiness by "correcting" the packets to the correct Cluster Member: In most cases, the CCL makes the correction from the CoreXL SND; in some cases (like Dynamic Routing, or VPN), the CCL makes the correction from the Firewall or SecureXL. Acronym: CCL. (CCL) is a mechanism that deals with asymmetric connections - when a client-to-server connection passes through one Cluster Member Security Gateway that is part of a cluster., and the server-to-client connection arrives at another Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

The CCL provides stickiness for connections by "correcting" the packets to the correct Cluster Member (that processed the client-to-server connection):

In most cases, the CCL makes the correction from the CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. SND instances.
In some cases (like Dynamic Routing, or VPN), the CCL makes the correction from the CoreXLFirewall instances or from SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

Note - For more information about CoreXL, see the R81.10 Performance Tuning Administration Guide.

Description

This command shows the statistics counters for the Cluster Correction Layer (CCL) on each Cluster Member.

The counters are reset in these cases:

Dring each boot.
When Check Point services are stopped and started.

Syntax

Shell	Command
Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).	N / A
Expert mode	`cphaprob [{-d \| -f \| -s}] corr`

Where:

Command	Description
`cphaprob corr`	Shows Cluster Correction Layer (CCL) statistics for all traffic.
`cphaprob -d corr`	Shows Cluster Correction Layer (CCL) statistics for CoreXL SND instances only.
`cphaprob -f corr`	Shows Cluster Correction Layer (CCL) statistics for CoreXL Firewall instances only.
`cphaprob -s corr`	Shows Cluster Correction Layer (CCL) statistics for SecureXL only.

Notes:

In the output of "cphaprob -d corr", this row does not appear:

Local asymmetric conns:
In the output, these rows appear only on Scalable Platforms:
- ICMP ERROR forwarded packets:
- ICMP ERROR forwarded bytes:
- VS Stateless forwarded packets:
- VS Stateless forwarded bytes:
In some cases, ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. needs to send some data along with the corrected packet (for example, in VPN).

For such packets, the output counters show "with metadata".

Calculating how much traffic is corrected out of total traffic on each Cluster Member

Large percentage values indicate a large number of assymetic connections that arrive at a cluster.

Get the output for the Cluster Correction Statistics (CCL) counters.
Copy the values of these CCL counters:
- Sent packets
- Received packets

Run:

cpview

At the top, click Network > Interfaces >Traffic.
1. In the section "RX Traffic", refer to the column "packets" > refer to the row "TOTAL".
2. In the section "TX Traffic", refer to the column "packets" > refer to the row "TOTAL".

Calculate the percentage of the corrected received packets:

(CCL "Received packets" x 100%) / (CPView "RX Traffic" packets)

Calculate the percentage of the corrected transmitted packets:

(CCL "Sent packets" x 100%) / (CPView "TX Traffic" packets)

Example 1 - CCL statistics for all traffic

[Expert@Member1:0]# cphaprob corr

Cluster Correction Stats (All Traffic):
------------------------------------------------------
Sent packets:                   0 (0 with metadata)
Sent bytes:                     0
Received packets:               0 (0 with metadata)
Received bytes:                 0
Send errors:                    0
Receive errors:                 0
Local asymmetric conns:         0
ICMP ERROR forwarded packets:   0
ICMP ERROR forwarded bytes:     0
VS Stateless forwarded packets: 0
VS Stateless forwarded bytes:   0
[Expert@Member1:0]#

Example 2 - CCL statistics for CoreXL SND instances only

[Expert@Member1:0]# cphaprob -d corr

Cluster Correction Stats (Dispatcher Corrections only):
------------------------------------------------------
Sent packets:                   0 (0 with metadata)
Sent bytes:                     0
Received packets:               0 (0 with metadata)
Received bytes:                 0
Send errors:                    0
Receive errors:                 0
[Expert@Member1:0]#

Example 3 - CCL statistics for CoreXL Firewall instances only

[Expert@Member1:0]# cphaprob -f corr

Cluster Correction Stats (Firewall instances only):
------------------------------------------------------
Sent packets:                   0 (0 with metadata)
Sent bytes:                     0
Received packets:               0 (0 with metadata)
Received bytes:                 0
Send errors:                    0
Receive errors:                 0
Local asymmetric conns:         0
[Expert@Member1:0]#

Example 4 - CCL statistics for SecureXL only

[Expert@Member1:0]# cphaprob -s corr

Getting stats for SXL device 0, may take a few seconds...

Cluster Correction Stats (SXL Devices only):
------------------------------------------------------
Sent packets:                   0 (0 with metadata)
Sent bytes:                     0
Received packets:               0 (0 with metadata)
Received bytes:                 0
Send errors:                    0
Receive errors:                 0
Local asymmetric conns:         0
[Expert@Member1:0]#