Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
111112113114115116117118119120
Chapter 2 Troubleshooting Active Network Management Debugging the Connect Control Module
Advanced Technical Reference Guide 4.1 June 2000 109
Load balancing does not work on HPUX when the web servers are on
virtual interfaces
No solution available at this time
See the SecureKnowledge Solution (ID 10043.0.3487758.2562155) in the Check Point Technical Services site.
Connection going to the connect control address are dropped by the
Stealth Rule
If Firewall’s external address is used for the Connect Control address (that is, the address to which Internet
users will connect) and there is a Stealth Rule (that is, Any / Any / Firewall / Drop / Alert), this will also block
the Connect Control connections from Internet users.
You may want to use another address in the valid external range for the Connect Control address and have the
Firewall Proxy Arp for it.
Debugging the Connect Control Module
The Connect Control Module is one of the “Load Balancing Components” described on page 107. It resides in
the kernel of the FireWall Module containing the load balancing algorithm.
The Connect Control Module uses several kernel tables
To debug connect control problems you will almost always need to examine one of the following tables
Check_alive – this table exists to see if the physical servers are alive. The in.pingd process reads the
table and sends pings to the servers if a time period has passed.
Logical_cache_table – only when persistent mode is enabled. Holds the information relating to
which client connects to which server.
Logical_request – any new connection going through the connect control module is written in that
table
Logical_server_table – holds a list of the logical servers.
Logical_server_list_table – if NAT is involved
These tables are described in detail in “Load balancing tables,” page 164 of “Appendix A: State Tables for
VPN-1/FireWall-1 4.0
Check_alive table
Load balancing takes place between a group of servers. A server will only take part in the load balancing if it is
alive. If a server is no longer considered as a valid server the VPN/FireWall module will not redirect packets to
that server (it may be down or overloaded for example). The Check_Alive table is used to determine whether
the servers in the group are alive
The In.pingd send Pings to the servers at regular intervals, and a computation based on the values in the
table determines whether or not the server is alive.