Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS

101

102

103

104

105

106

107

108

109

110

Chapter 9 Troubleshooting Active Network Management Synchronization and High Availability

Advanced Technical Reference Guide 4.1 • June 2000 98

Troubleshooting Synchronization

Synchronization and High Availability

Note: The section on Synchronization Applies to VPN-1/FireWall-1 4.1 SP1 only.

High Availability machines do not have to be synchronized. Synchronization ensures that no connections are

lost when a machine takes control from a machine that has gone down. However, there are exceptions — for

more information see “Restrictions” on Page 561 of the Check Point 2000 VPN-1/FireWall-1 Administration

Guide. The disadvantage of Synchronization is that synchronizing internal tables on all machines reduces

performance.

If you do not require synchronization, you must still configure the High Availability machines with

synchronization set to no sync in the $FWDIR/conf/sync.conf file. If the High Availability machines are

synchronized, there must be a control channel between all the machines. For a description of the putkey

command, see “fw putkey” on page 12 of the Check Point 2000 VPN-1/FireWall-1 Reference Guide.

The following paragraphs are copied (with slight modifications) from the “Synchronization section on page 573

of the Check Point 2000 VPN-1/FireWall-1 Administration Guide:

There are three possible synchronization modes.

1. No synchronization

2. “Old style” synchronization (compatible with previous versions of VPN-1/FireWall-1)

3. “New style” synchronization on UDP port 8116 (compatible with the High Availability feature described

in this section)

Synchronization is defined in the $FWDIR/conf/sync.conf file. See “FireWall State Synchronization” on

page 557 of VPN-1/FireWall-1 Administration Guide

The type of synchronization is specified by the SyncMode parameter, as follows:

SyncMode= mode

where mode is one of the following values:

SyncMod Values

Value value meaning

No sync There is no synchronization. This is the default setting, so there is no need to change

existing configurations.

TCP sync “old style” synchronization (default value). (compatible with previous versions of

VPN-1/FireWall-1). Other lines in the file specify VPN/FireWall Modules with which to

synchronize.

CPHAP “new style” synchronization on UDP port 8116. (compatible with the High Availability

feature described in this section). All other lines in the file are ignored. As of

VPN-1/FireWall-1 4.1 SP1 This should be used with caution. It will work properly in

VPN-1/FireWall-1 4.1 SP2.

Feature Not Supported by synchronization

Features that are not included in the Kernel tables do not work over synchronized connections. The following

features are not supported by synchronization:

• Content Security