Change SIC Interface

[vijayant]

Hi

We are using R60 in Cluster High Availability. It seams our SIC interface is not working properly as we see ping response of 10000 to 20000 ms on it. We have decided to config SIC on another free interface. Just want to know, will there be any issues doing that.

Thanks
Vijayant

[Danielpb]

It might be worth investigating the first SIC issues…You said you can ping the interface.

Can you confirm the following:

1.Confirm where the SmartCenter is in relation to the module
2.How is the Module IP address config setup
3.Have you tired the fw unloadlocal on the module before establishing SIC.
4. Reset SIC and try again with the step 3.
5. Run tcpdump on the interface to confirm traffic is hitting the correct interface.

[vijayant]

Daniel

Can you please explain why do you have these doughts.. I am not sure how the SIC was establish but I will proceed with steps told by you. Please let me know if any more info i can give to you to diagnose on this.

eth0 Link encap:Ethernet HWaddr 00:07:E9:0D:58:68
inet addr:10.0.0.1 Bcast:10.0.0.3 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:199837285 errors:0 dropped:0 overruns:0 frame:0
TX packets:312201896 errors:0 dropped:0 overruns:0 carrier:0
collisions:30 txqueuelen:100
RX bytes:2517148034 (2400.5 Mb) TX bytes:3606523651 (3439.4 Mb)
Base address:0xecc0 Memory:dfbe0000-dfc00000

[Expert@SUN]# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=3 ttl=128 time=11790 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=128 time=12010 ms
64 bytes from 10.0.0.2: icmp_seq=7 ttl=128 time=12487 ms

Some times I am getting:
#cphaprob state
1 (local) 203.17.26.4 100% active attention
2 203.17.26.5 0% down

in general i do not see any traffic on the sync interface

this is a remote location for us. I do get disconnected when i am working on Smart center server that is located on the internal network of this firewall.

Thanks

[Danielpb]

Hmmm are sure this is a SIC issue or a Sync issue?

[mcnallym]

I would check that the interfaces on the box is set to a speed and duplex, not left to autosense. Also hard configure the switch ports that the firewall connects into.

From the cphaprob output then I would suggest that you also have a synch problem.

Double check that the topology for the cluster is correctly configured and that the synch interface is specified correctly.

[melipla]

Quote:

Originally Posted by vijayant

Hi
We have decided to config SIC on another free interface. Just want to know, will there be any issues doing that.

I believe you meant "sync on another free interface". If so, then AFAIK there is no issue with having multiple sync interfaces for clusters.

As an aside, please verify that both cluster members have the proper time.

[vijayant]

melipla

Time difference between firewalls is 40 seconds, between Smart Center Server and Firewalls is approx 7 min.
Also let me tell you that 90 % of the traffic on this firewall is of some file upload. Either there is very low load or very high (15 Mb) that is the capacity of the internet link connected to this firewall.
Switch ports as I remember is statically configured.

mcnallym,Daniel

Primary:
eth0: 100 Mbit, full duplex, link ok
eth1: no link
eth2: 100 Mbit, full duplex, link ok
eth3: 100 Mbit, full duplex, link ok

Secondary:
eth0: 100 Mbit, full duplex, link ok
eth1: no link
eth2: 100 Mbit, full duplex, link ok
eth3: 100 Mbit, full duplex, link ok

I dont find any abnormalities in the Topology config. Only thing is that network behind the internal interface is not manualy defined.
Also please let me know how to check if the interface is auto or statically defined speed.

Tomorrow we are going to perform this activity. Any suggestion is appreciated..

Thanks

[Danielpb]

Can you first confirm if this is a Sync issue or SIC issues?

Confirm how you are trying to establish SIC?

[melipla]

Quote:

Originally Posted by vijayant

Time difference between firewalls is 40 seconds, between Smart Center Server and Firewalls is approx 7 min.

There shouldn't be any time difference between any of these devices. Start using NTP. Or at least sync them to the same NTP source once. If you still have latency with ping do a cpstop / cpstart on each cluster member, then retry a ping.

Quote:

Originally Posted by vijayant

Also let me tell you that 90 % of the traffic on this firewall is of some file upload. Either there is very low load or very high (15 Mb) that is the capacity of the internet link connected to this firewall.
Switch ports as I remember is statically configured.

Still check the switch port for interface errors. Its good that the firewall interfaces don't show erorrs. Are your sync interfaces directly attached with a cross over cable? Or are they attached to the same switch?

The other weird thing I noticed, and maybe this is to do with the version of CP. But when I do a "cphaprob stat" it shows my sync addresses using the non routables but your output didn't.

Quote:

# cphaprob stat

Cluster Mode: New High Availability (Active Up)


Number Unique Address Assigned Load State

1 (local) 192.168.1.1 100% Active
2 192.168.1.2 0% Standby

Can you verify that whatever interface contains 203.17.26.4 isn't set to sync as well? I'm using R65.