Latency issue when using two Check Point Synchronization networks

book

Article ID: 167988

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Latency issue when using two Check Point Synchronization networksSymptoms:
  • Intermittent traffic latency issues through Check Point cluster
  • Ping shows RTT up to multiple seconds
  • cphaprob syncstat reports rapidly increasing "Old or too-new arriving updates" and "Retransmission requests"
  • Non-sticky support is disabled in Cluster properties
  • Check Point Topology is configured with 2 Sync networks:
circuit sync1
  device-name sync1
  link-state-resistant
  vap-group fw
    ip 192.168.1.1/24 192.168.1.255 increment-per-vap 192.168.1.2

circuit sync2 

  device-name sync2
  link-state-resistant
  vap-group fw
    ip 192.168.2.1/24 192.168.2.255 increment-per-vap 192.168.2.2

interface ethernet 1/8
  logical sync1
    circuit sync1

interface ethernet 2/8
  logical sync2
    circuit sync2



Cause

The Blue Coat recommendation is to have a single Check Point Synchronization network and configure a backup interface using the redundancy interface feature of XOS. Using two Sync networks may lead to the above symptoms with high latency.

Resolution

Change Check Point Topology to use a single Synchronization network and configure redundancy-interface in XOS.

Workaround

Temporarily shutdown the secondary sync network to verify if the latency issue is introduced by the secondary Sync network.

configure circuit sync2 no link-state-resistant 
configure interface ethernet 2/8 no enable