Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS

111

112

113

114

115

116

117

118

119

120

Chapter 2 Troubleshooting Active Network Management Debugging the Connect Control Module

Advanced Technical Reference Guide 4.1 • June 2000 110

Check_Alive table

12 3 4 5 6 7

address

Magic (1 or 2)

1= Client

Auth.

2= Load

balancing

Last ping time –

thetimewhen

the server was

last pinged (in

seconds since

1/1/1970)

Time to die – time

until connection is

no longer referred

to that server, if it

does not respond

(default 60 sec)

Recheck –

number of

seconds

between each 2

consecutive

rechecks

Reference

count- how

many

connections

were referred

to this server

time

left/

total

time

The following computation is used to decide if the server is up or down. If the result is TRUE, the server has

died:

Time Now – [last time host was pinged (value 3)]

>Time to Die (value 4) - When to recheck this host (Value

The pingd process is defined in the fwauthd.conf file in the conf directory. If this process is disabled

you will not be able to activate load balancing on VPN-1/FireWall-1.

The following solutions from the SecureKnowledge database solve problems that relate to the tables used by the

Connect Control module.

Logical Server of type “Other” using the round robin for the Load

Balance does not work

Another symptom is that Logical Server of type Other using the round robin for the Load Balance did work for

VPN-1/FireWall-1 4.0 SP1

A possible workaround is to choose for the Time Zone a country, which has the same difference from GMT, but

has no problem with Daylight Saving information. For example, in Israel, which is in time zone GMT+02:00,

the user may choose Helsinki for the Time Zone, since Helsinki and Israel are in the same time zone, and this

will solve the problem.

Cause of this problem: Problem will occur only where the Windows NT option 'Automatically adjust clock for

daylight savings changes' is grayed out in the Control Panel> Date/Time Properties>Time Zone. This is the case

for some of the countries listed in the time Zone list (Australia or Israel, for example).

In these countries, Daylight Savings information is not available to Windows NT, so that Time objects in the

VPN-1/FireWall-1 Rule Base may not work correctly.

This results in VPN-1/FireWall-1 updating the "check_alive" table with a wrong time. This is a result of a

bug in the compiler used to compile VPN-1/FireWall-1

See the SecureKnowledge Solution (ID: 10043.0.732302.2530987) in the Check Point Technical Services site

How to change the load balancing connection time-out

The Time-to-die value in the in the check_alive table (value 4) defines the time until connection is no

longer referred to a non-responding server. The default value is 60 seconds. It is possible to modify this value

in order to increase the amount of time for which a non-responding connection is considered valid.

To do so, edit objects, and under the :Props section Add the following line

:logical_servers_timeout (x)

where X represents any number between 0 and 65535

See related SecureKnowledge Solution (ID 21.0.1307045.2432924) in the Check Point Technical Services site.