ClusterXL unstable

[cciesec2006]

I have a pair of SPLAT R55 w/ hfa20 running on Dell Servers
(P4 2.8 GHz and 1GB RAM) Active/Active ClusterXL. It is
being managed by a CMA inside a Provider-1 NG AI R55 with
HFA_20. The box is not pushing a lot of traffics, only
telnet and http traffics going through a box. There
is only ONE host behind the firewalls. Firewalls has
three interfaces (external, internal and sync interface).
External interface is connected to a hub #1. Internal
interface is connected to hub #2, and sync interface
is connected to hub #3.

Every morning, when I push policy to the cluster,
I am getting this message:

gw1: sys_message: installed ClusterXL
gw2: sys_message: installed ClusterXL
gw1: cluster_info: (ClusterXL) Stopping ClusterXL.
gw1: cluster_info: (ClusterXL) Starting ClusterXL.
gw2: cluster_info: (ClusterXL) Stopping ClusterXL.
gw2: cluster_info: (ClusterXL) Starting ClusterXL.

It means that my cluster is flapping. If I push
the policy again, I do not see these messages.
However, if I push the policy again an hour later,
I see these messages. It means that my cluster is
unstable.

I did the following to both SPLAT firewalls:

fw ctl set int fwha_freeze_state_machine_timeout 60

However, I still see those messages whenever I push
the policy every morning.

Anyone know what the problem is? Thanks.

[luisrocha]

Are you using Multicast or Unicast Load sharing, by your descruption, it seems a problem with Multicast addresses and the switches you are using.

If you are using Multicast, does the switch have IGMP disable ?

Try to take a look at this articles:
Using ClusterXL with IGMP Snooping-enabled switches
Solution ID: #sk33221

Interface flapping in a Load Sharing ClusterXL R55 environment
Solution ID: #sk30822


Regards

Luis Rocha

[cciesec2006]

1) If you read my email carefully, I am using hubs, NOT switch.
Therefore, multicast or unicast will work on hubs because the hub
is a broadcast domain.

2) I am using ClusterXL Unicast load-sharing.

What you suggested does not apply in my situation.

Regards

[pat13b]

Hello,

Not sure if this helps or even applies to your situation.........

Broadcom NICs causing system problems in a Multi-CPU, SecurePlatform, ClusterXL configuration Print this Solution

Solution ID: #sk31647

Product: ClusterXL, SecurePlatform
Version: NG AI, NG
Last Modified: 10-Apr-2006

Symptoms

Broadcom network interface cards (mostly on-board a HW Server) in some hardware models cause system problems, for example, freeze, crash etc. These problems are experienced when the following 4 product configuration criteria are in effect for the Security Gateway:
SecurePlatform operating system based machine deployed
Multi-CPU configuration machine deployed
ClusterXL solution established (cluster mode irrelevant)
The Performance Pack acceleration module is activated.


Cause

The Broadcom network interface card (NIC) caused problems are rooted in a clash between the NIC driver and the Linux kernel version that is used prior to version NGX.

Solution

Any one of the following 3 suggestions will eliminate this problem:

Disable the Broadcom NIC (e.g via BIOS setting) and replace it with a NIC of a different manufacturer (e.g. Intel).

Only use a Single-CPU configuration. Implement the
Single-CPU configuration either by removing/disabling the necessary number of CPUs or by deactivating the Performance Pack module.

Upgrade Security Gateway to version VPN-1 Pro/Express NGX. The Broadcom NIC caused problems are resolved in version NGX.


-pat13b