Cluster sync cable tricks

Got this from Watcha again.

A sync cable is only used to exchange state information. If you pull it, then the state tables will be out of sync, but the cluster will remain otherwise healthy and be able to failover. So YES – protocols like FTP will hang, but most other resilient protocols like DNS/HTTP will continue to work with no blips.

In a cluster , CCP  udp port 8116 packets are exchanged on all interfaces. CCP are just keep alive statuses and do NOT contain state information. If a member notices that it is not seeing CCP packets from its peer on one interface, the current standby will go to DOWN and the active member will remain active and go to Active Attention. However, failover will still work regardless if a sync cable exists or not. The downside is the state table may be hosed, but the members will failover as always (assuming that both members are otherwise healthy).

Never fully tested the above but makes sense….TBD.

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Bob Mog  On May 5, 2015 at 10:39 pm

    Fine for internet gateways perhaps but internal core network failover without state is bad news.
    I’ve seen lots of crappy apps (SAP is a big one) that will just keep trying with existing connections for minutes and even hours while the the firewall keeps dropping the packets silently as out of state.
    Some SAP apps even fail the users transaction if one back end connection to the database fails.
    Kernel parameter fw_reject_non_syn 1 can assist resolving this as it sends a reject packet back to the app server (client) if it drops their connection due to an out of state packet. This should ensure the application server knows to establish a new TCP connection rather than retry using the original one.

    • Dreezman  On May 6, 2015 at 5:26 am

      Why do I have a blog? This is great info, you should start a blog! Will give this a shot.

      • Bob Mog  On May 6, 2015 at 7:52 pm

        this may place some more load on the firewall compared to silently dropping out of state packets but i’ve got a 61k to play with so plenty of CPU cycles spare at my disposal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: