Connection of cluster interfaces via several switches can cause problems with CCP packets. Physically, the CCP packets might not be sent out / received in time for the cluster mechanism (due to latency introduced by switches).
By design, the cluster mechanism demands that the latency for CCP packets is less than ~30 milliseconds.
Refer to ClusterXL Administration Guide (R70, R70.1, R71, R75, R75.20, R75.40, R75.40VS, R76, R77.X) -
Chapter Synchronizing Connection Information Across the Cluster -
The Check Point State Synchronization Solution -
Synchronizing Clusters over a Wide Area Network
- These requirements apply not only to Sync, but to ALL interfaces that are used in Cluster Topology.
Examples of the problem:
SmartView Tracker shows:
cluster_info: (ClusterXL) member 2 (192.168.0.6) is down (Interface Active Check on member 2 (192.168.0.6) detected a problem (14 interfaces required, only 13 up).)
cluster_info: (ClusterXL) interface Mgmt of member 2 (192.168.0.6) is down (receive up, transmit down)
Output of "
cphaprob -a if" command shows:
External Inbound: UP Outbound: DOWN (2.5 secs)
Kernel debug (
fw ctl debug -m cluster + if pnote stat timer) shows:
FW-1: if_uptime_check: IF 6 OUT: state ASSUMED UP -> UNKNOWN
FW-1: fwha_report_id_problem_status: State (FAILURE) reported by device Interface Active Check
CPHA : changing state to FAILURE