Support Center > Search Results > SecureKnowledge Details
Cluster Flush and Ack (FnA) mechinism support for ICMP
Solution

ICMP protocol is fully supported by Flush and Ack (FnA) mechanism in Check Point cluster.

Cluster member forces the Delta Sync packet about the incoming packet and waiting for acknowledgments from all other Active members and only then allows the incoming packet to pass through.

In some scenarios, it is required that some information, written into the kernel tables, will be Sync-ed promptly, or else a race condition can occur. The race condition may occur if a packet that caused a certain change in kernel tables left cluster Member_A toward its destination and then the return packet tries to go through cluster Member_B.

In general, this kind of situation is called asymmetric routing. What may happen in this scenario is that the return packet arrives at cluster Member_B before the changes induced by this packet were Sync-ed to this Member_B.

Example of such a case is when a SYN packet goes through cluster Member_A, causing multiple changes in the kernel tables and then leaves to a server. The SYN-ACK packet from a server arrives at cluster Member_B, but the connection itself was not Sync-ed yet. In this condition, the cluster Member_B will drop the packet as an Out-of-State packet ("First packet isn't SYN"). In order to prevent such conditions, it is possible to use the "Flush and Ack" (F&A) mechanism.

This mechanism can send the Delta Sync packets with all the changes accumulated so far in the Sync buffer to the other cluster members, hold the original packet that induced these changes and wait for acknowledgment from all other (Active) cluster members that they received the information in the Delta Sync packet. When all acknowledgments arrived, the mechanism will release the held original packet.

This ensures that by the time the return packet arrives from a server at the cluster, all the cluster members are aware of the connection.

F&A is being operated at the end of the Inbound chain and at the end of the Outbound chain (it is more common at the Outbound).

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment