Full sync happens when the system goes up- after reboot for example. At other times, Delta sync requires no memory because Delta sync updates are applied immediately. Number of Pending packets currently held: 1. Number of Pending packets currently held only appears for a non-zero value.
ClusterXL prevents out-of-state packets in non-sticky connections. If for some reason a SYN-ACK is not received, the Security Gateway on the cluster member will not release the packet, and the connection will not be established. Packets released due to timeout only appears for a non-zero value. If the Number of Pending Packets is large more than pending packets , and the number of Packets released due to timeout is small, you should take action to reduce the number of pending packets.
To solve this problem, see Reducing the Number of Pending Packets. Heavily loaded clusters and clusters with geographically separated members pose special challenges.
High connection rates, and large distances between the members can lead to delays that affect the operation of the cluster. The cphaprob [-reset] syncstat command is a tool for monitoring the operation of the State Synchronization mechanism in highly loaded and distributed clusters. The section Output of cphaprob [-reset] syncstat explains each of the output parameters, and also explains when the output represents a problem.
Any identified problem can be solved by performing one or more of the tips described in Synchronization Troubleshooting Options. The output parameters of the cphaprob syncstat command are shown below.
The values not shown give an insight into the state and characteristics of the synchronization network. Each parameter and the meaning of its possible values is explained in the following sections.
Lost Sync Connection num of events. These statistics relate to the state synchronization mechanism. The statistics in this section relate to updates generated by other cluster members, or to updates that were not received from the other members. Updates inform about changes in the connections handled by the cluster member, and are sent from and to members.
Updates are identified by sequence numbers. The number of retransmission requests, which were sent by this member. Retransmission requests are sent when certain packets with a specified sequence number are missing, while the sending member already received updates with advanced sequences.
Note - Compare the number of retransmission requests to the Total Regenerated Updates of the other members see Total Generated Updates.
Each retransmission request can contain up to 32 missing consecutive sequences. The value of this field is the average number of requested sequences per retransmission request. More than 20 missing consecutive sequences per retransmission request can imply connectivity problems. Note - If this value is unreasonably high, contact Technical Support, equipped with the entire output and a detailed description of the network topology and configuration.
The number of arriving sync updates where the sequence number is too low, which implies it belongs to an old transmission, or too high, to the extent that it cannot belong to a new transmission.
The number of missing sync updates for which the receiving member stopped waiting. It stops waiting when the difference in sequence numbers between the newly arriving updates and the missing updates is larger than the length of the receiving queue. This value should be zero. Note - To decrease the number of lost updates, expand the capacity of the Receiving Queue. See Enlarging the Receiving Queue. The number of events in which synchronization with another member was lost and regained due to either Security Policy installation on the other member, or a large difference between the expected and received sequence number.
Note - Allow the sync mechanism to handle large differences in sequence numbers by expanding the Receiving Queue capacity. The number of events in which the member declares another member as not connected. The member is considered as disconnected because no ACK packets were received from that member for a period of time one second , even though there are Flush and Ack packets being held for that member.
The value should be zero. Even with a round trip time on the sync network as high as ms, one second should be enough time to receive an ACK. A positive value indicates connectivity problems. However, you may well have to contact Technical Support equipped with the entire output and a detailed description of the network topology and configuration.
The statistics in this section relate to updates generated by the local cluster member. Under extremely heavy load conditions, the cluster may block new connections.
This parameter shows the number of times that the cluster member started blocking new connections due to sync overload. The member starts to block connections when its Sending Queue has reached its capacity threshold. A positive value indicates heavy load. In this case, observe the Blocked Packets to see how many packets we blocked.
Each dropped packet means one blocked connection. Note - The best way to handle a severe blocking connections problem is to enlarge the sending queue. See Enlarging the Sending Queue. Another possibility is to decrease the timeout after which a member initiates an ACK. See Reconfiguring the Acknowledgment Timeout. This updates the sending queue capacity more accurately, thus making the blocking process more precise.
The number of packets that were blocked because the cluster member was blocking all new connections see Blocking Scenarios. The number of blocked packets is usually one packet per new connection attempt.
The size of the Sending Queue is fixed. By default it is sync updates. As newer updates with higher sequence numbers enter the queue, older updates with lower sequence numbers drop off the end of the queue. An older update could be dropped from the queue before the member receives an ACK about that update from all the other members. This parameter is the difference between the current sync sequence number and the last sequence number for which the member received an ACK from all the other members.
The value of this parameter can therefore be greater than The value of this parameter should be less than If larger than , there is not necessarily a sync problem. However, the member will be unable to answer retransmission request for updates which are no longer in its queue.
Note - Enlarge the Sending Queue to value larger than this value. The average value of the Max Length of Sending Queue parameter, since reboot or since the Sync statistics were reset. The number of occasions where the sync update required Flush and Ack, and so was kept within the system until an ACK arrived from all the other functioning members.
Should be the same as the number of Unhold Pkt Events. Note - Contact Technical Support equipped with the entire output and a detailed description of the network topology and configuration. The number of occasions when the member received all the required ACKS from the other functioning members. Should be the same as the number of Hold Pkts Events. The number of packets which should have been held within the system, but were released because there were no other operating members.
Note - The cluster has a connectivity problem. Examine the values of the parameters: Lost Sync Connection num of events and Timed out Sync Connection to find out why the member thinks that it is the only cluster member. You may also need to contact Technical Support equipped with the entire output and a detailed description of the network topology and configuration.
The maximum time in ticks one tick equals ms for which a held packet was delayed in the system for Flush and Ack purposes. It should not be higher than 50 5 seconds , because of the pending timeout mechanism which releases held packets after a certain timeout. By default, the release timeout is 50 ticks. A high value indicates connectivity problem between the members.
Also, examine the parameter Timed out Sync Connection to understand why packets were held for a long time. The average duration in ticks tick equals ms that held packets were delayed within the system for Flush and Ack purposes. The average duration should be about the round-trip time of the sync network.
A larger value indicates connectivity problem. Note - If the value is high, contact Technical Support equipped with the entire output and a detailed description of the network topology and configuration in order to examine the cause to the problem.
The Sync timer performs cluster related actions every fixed interval. By default, the Sync timer interval is ms. The base time unit is ms or 1 tick , which is also the minimum value. The CPHA timer performs cluster related actions every fixed interval. By default, the CPHA timer interval is ms.
Each cluster member has two queues. The Sending Queue and the Receiving Queue. The Sending Queue on the cluster member stores locally generated sync updates. The list of cluster units changes depending on how you log into the CLI. In this case the primary unit would be at the top the list followed by the other cluster units.
If you use execute ha manage or a console connection to log into a subordinate unit CLI, and then enter get system ha status the subordinate unit that you have logged into appears at the top of the list of cluster units. The number of virtual clusters.
If virtual domains are not enabled, the cluster has one virtual cluster. If virtual domains are enabled the cluster has two virtual clusters. The HA state hello, work, or standby and HA heartbeat IP address of the cluster unit that you have logged into in virtual cluster 1.
If virtual domains are not enabled, vcluster 1 displays information for the cluster. If virtual domains are enabled, vcluster 1 displays information for virtual cluster 1. The HA heartbeat IP address is The list includes the operating cluster index and serial number of each cluster unit in virtual cluster 1.
The cluster unit that you have logged into is at the top of the list. If virtual domains are not enabled and you connect to the primary unit CLI, the HA state of the cluster unit in virtual cluster 1 is work. No : Change in priority will not preempt the primary state. Yes : Primary state is set manually through the CLI with the request chassis cluster failover node or request chassis cluster failover redundancy-group command.
This overrides Priority and Preempt. Monitor Failure code : Cluster is not working properly and the respective failure code is displayed. Help us improve your experience. Let us know what you think. Do you have time for a two-minute survey? Maybe Later. Description Display the current status of the Chassis Cluster. Options none—Display the status of all redundancy groups in the chassis cluster. The auxiliary device, configured as active-passive that is currently passive, shows the status in the below image.
HA status messages Status messages that you see when HA is configured. HA license transfer License transfer provides the ability to transfer a license from one serial number to another. Sophos Firewall virtual and software appliances help Support You can get help in various ways. Open Source Software Attributions Copyright notice. Using the control center Go to Control center.
0コメント