Packet loss when proving VAP firewall resilience

[mac123]

Running VSX NGX R60 on Crossbeam X80 XOS 7.2.1-48.

Running with 2 x NPM, 2 x CPM, 3 X APM ( 1 in standby ), 2 APM in a VSX cluster

Running continuos https test to webserver behind the firewall when we pull a blade, standby kicks in but noticed from show active flow, NPM still sending traffic to blade which has been removed and we lose https sessions which do recover.

Not sure how to debug or fix this

Backup mode of vap group is set to group.

Any ideas ?

Thanks in advance

Mac

[lunatrick]

if you only have 3 apm's and one VSX cluster then why not just have all three live and have backup mode group...that way if one of the blade fails then the flow will be redirected....

what I don't understand is why the flow isn't just automatically redirected to blade 2 in this scenario...nevermind the third blade which would take time to boot and load the image which wil happen automatically as it joins the vap group. In terms of the checkpoint config I presume you have a sync network setup?

can you post up your vap config please?

[chuachongchee]

Quote:

Originally Posted by mac123

Running VSX NGX R60 on Crossbeam X80 XOS 7.2.1-48.

Running with 2 x NPM, 2 x CPM, 3 X APM ( 1 in standby ), 2 APM in a VSX cluster

Running continuos https test to webserver behind the firewall when we pull a blade, standby kicks in but noticed from show active flow, NPM still sending traffic to blade which has been removed and we lose https sessions which do recover.

Not sure how to debug or fix this

Backup mode of vap group is set to group.

Any ideas ?

Thanks in advance

Mac

What is your checkpoint config on you cluster?? Did you set "3rd party ha"?? And a show techsupport will do us good, or can you post your config??

[cpcpc]

If you put 3 vaps as VSX cluster, Check Point Sync should take care of that.

[wa1di]

For sync network you should have created internal circuit for managing state information between members if you have SBHA.