R65 IPSO4.2 - Critical Issue with IWFD and log_buffer_full error

[spacyfreak]

Migration to the new brave checkpoint world was a real challenge...

Anyway, now that it (mostly) runs (Cluster with two nokia ipso4.2 IP690 Nodes wit CP R65), we got an issue where the whole cluster went to hell..

What happens?
Many rules, logging enabled on mostly every rule (over 1000 policies and many many objects).

Then on console error message "log buffer full" and lost 500 logs or something like that.
So, cause much traffic and much logging, log buffer on fw was full.
This "seems" to lead to a problem so that fwd deamon crashes completely.
Both nodes where not able to provide functionality anymore.

So questions are..

1. Did you have such an issue with fwd crashing? Whats the cause?

2. Is nokia IFWD the fwd process you can see on smartMonitor or are this two different things?

4. Is log buffer on VPN-1 only in RAM or is it written on the hard disc?

5. is log buffer the file fw.log?

6. What is the most recommended High Availability Configuration for this type of NOkia/IPSO/Checkpoint Cluster? ClusterXP + IPSO VRRP Managed Circuits? Or ONLY Nokia VRRP? These different HA modes and advatage/disadvantage is not completely clear to me, why should it be configured this way or that way and how this all works together.

[PhoneBoy]

There's an SK article about the log buffer being full. In short, it is a circular buffer that stores what needs to be logged before it either writes to disk (if logging locally) or sends it to a remote logging server (either SmartCenter server or a specific logging server). You can increase this buffer if needed, but there are limits to how big you can make it.

Generally, if you're logging everything under the sun, though, you might want to examine why you need to log so many things and reduce the amount of stuff you are logging. It might explain why fwd is crashing (and yes, if fwd crashes, you lose lots of functionality).

ifwd is not the same thing as fwd, ifwd is a legacy process that used to signal to Firewall-1 that a failover needs to occur. It has not been necessary since roughly R55 and should be disabled (done in Voyager).

Neither VRRP or IP Clustering is "any better" than one another, but they serve different needs. If you are running a site-to-site VPN and you want to load balance the two machines, IP Clustering is the way to go. If you're not doing VPN or are mostly interested in active/standby, VRRP Monitored Circuits is the way to go. There are some exceptions to these rules, of course, but these are the general guidelines.