How to access Check Point HA statistics, status and data using cphaprob
Article ID: 168075
Updated On:
Products
XOS
Issue/Introduction
Check Point HA statistics, status, and data information are accessible using the cphaprob command. This article presents what type of data might be gathered and how to access it.N/A
Cause
The cphaprob command can be used to check the status of the Check Point HA mechanism. Use of this command is valid only on the systems where HA mode is enabled (clusters).
The most common use of cphaprob is to check the status of the cluster members. On the Crossbeam X-Series Platform, Cluster Mode is always reported as: Sync only (OPSEC).
###
cfw1dc_1 (xbm1-dc): ~$ cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 (local) 10.210.1.101 Active
2 10.210.1.102 Active
3 10.210.1.103 Active
4 10.210.1.104 Active
5 10.210.1.201 Active
6 10.210.1.202 Active
7 10.210.1.203 Active
8 10.210.1.204 Active
(*) FW-1 monitors only the sync operation and the security policy
Use OPSEC's monitoring tool to get the cluster status
###
There are known situations where cphaprob state has reported the status of one more more members as Down, even when everything was working correctly. Please see solution#1073 for further details.
The cphaprob tool can be used to check the list of interfaces known to the Check Point HA mechanizm:
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob -a if
Required interfaces: 1
Required secured interfaces: 1
eth0 UP
eth1 UP
sdp0 UP
sdp1 UP
sdp2 UP
sdp3 UP
vnd0 UP
mgmt UP
cust UP
syncvsx UP (secured)
cust.151 UP
cust.157 UP
user.157 UP
[cut]
Virtual cluster interfaces: 15
Virtual Device ID Interface Cluster IP
------------------------------------------------
0 mgmt 192.168.130.200
0 cust.151 172.17.151.201
0 cust.157 172.17.157.201
0 wrp512 160.62.14.49
0 wrp513 162.86.30.185
0 user.157 172.17.157.202
[cut]
###
The interface marked as secured is a synchronization interface.
Statistics showing sync serialization can be checked using the following command:
cphaprob ldstat
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob ldstat
Summarized statistics for all Virtual Devices:
Operand Calls Bytes Average Ratio %
------------------------------------------------------
ERROR 0 0 0 0
SET 13233 2424948 183 31
RENAME 0 0 0 0
REFRESH 51538 2473812 47 32
DELETE 11642 415164 35 5
SLINK 13031 833984 64 10
UNLINK 0 0 0 0
MODIFYFIELDS 21654 1559088 72 20
RECORD DATA CONN 0 0 0 0
COMPLETE DATA CONN 0 0 0 0
Total bytes sent: 8595780 (8 MB) in 50045 packets. Average 171
*Use -vs flag for specific Virtual Device information
###
Sync transport layer statistics can be checked using the following command:
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob syncstat
Sync Statistics (IDs of F&A Peers - 1 2 3 ):
Other Member Updates:
Sent retransmission requests................... 0
Avg missing updates per request................ 0
Old or too-new arriving updates................ 0
Unsynced missing updates....................... 0
Lost sync connection (num of events)........... 100
Timed out sync connection ..................... 0
Local Updates:
Total generated updates ....................... 189309
Recv Retransmission requests................... 0
Recv Duplicate Retrans request................. 0
Blocking Events................................ 0
Max length of sending queue.................... 4099
Avg length of sending queue.................... 1
Unhold Pkt events.............................. 0
Not held due to no members..................... 0
Max held duration (sync ticks)................. 0
Avg held duration (sync ticks)................. 0
Timers:
Sync tick (ms)................................. 100
CPHA tick (ms)................................. 100
Queues:
Sending queue size............................. 512
Receiving queue size........................... 256
----------------------------------------------------
Summarized statistics for all Virtual Devices:
Blocked packets................................ 0
Hold Pkts events............................... 0
*Use -vs flag for specific Virtual Device information
###
Both of the above commands have optional switches:
-reset - resets counters and print's out standard information
-a - shows statistics per VS
The most common use of cphaprob is to check the status of the cluster members. On the Crossbeam X-Series Platform, Cluster Mode is always reported as: Sync only (OPSEC).
###
cfw1dc_1 (xbm1-dc): ~$ cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 (local) 10.210.1.101 Active
2 10.210.1.102 Active
3 10.210.1.103 Active
4 10.210.1.104 Active
5 10.210.1.201 Active
6 10.210.1.202 Active
7 10.210.1.203 Active
8 10.210.1.204 Active
(*) FW-1 monitors only the sync operation and the security policy
Use OPSEC's monitoring tool to get the cluster status
###
There are known situations where cphaprob state has reported the status of one more more members as Down, even when everything was working correctly. Please see solution#1073 for further details.
The cphaprob tool can be used to check the list of interfaces known to the Check Point HA mechanizm:
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob -a if
Required interfaces: 1
Required secured interfaces: 1
eth0 UP
eth1 UP
sdp0 UP
sdp1 UP
sdp2 UP
sdp3 UP
vnd0 UP
mgmt UP
cust UP
syncvsx UP (secured)
cust.151 UP
cust.157 UP
user.157 UP
[cut]
Virtual cluster interfaces: 15
Virtual Device ID Interface Cluster IP
------------------------------------------------
0 mgmt 192.168.130.200
0 cust.151 172.17.151.201
0 cust.157 172.17.157.201
0 wrp512 160.62.14.49
0 wrp513 162.86.30.185
0 user.157 172.17.157.202
[cut]
###
The interface marked as secured is a synchronization interface.
Statistics showing sync serialization can be checked using the following command:
cphaprob ldstat
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob ldstat
Summarized statistics for all Virtual Devices:
Operand Calls Bytes Average Ratio %
------------------------------------------------------
ERROR 0 0 0 0
SET 13233 2424948 183 31
RENAME 0 0 0 0
REFRESH 51538 2473812 47 32
DELETE 11642 415164 35 5
SLINK 13031 833984 64 10
UNLINK 0 0 0 0
MODIFYFIELDS 21654 1559088 72 20
RECORD DATA CONN 0 0 0 0
COMPLETE DATA CONN 0 0 0 0
Total bytes sent: 8595780 (8 MB) in 50045 packets. Average 171
*Use -vs flag for specific Virtual Device information
###
Sync transport layer statistics can be checked using the following command:
###
vsxr65_1 (X80-4): [vs0] root$ cphaprob syncstat
Sync Statistics (IDs of F&A Peers - 1 2 3 ):
Other Member Updates:
Sent retransmission requests................... 0
Avg missing updates per request................ 0
Old or too-new arriving updates................ 0
Unsynced missing updates....................... 0
Lost sync connection (num of events)........... 100
Timed out sync connection ..................... 0
Local Updates:
Total generated updates ....................... 189309
Recv Retransmission requests................... 0
Recv Duplicate Retrans request................. 0
Blocking Events................................ 0
Max length of sending queue.................... 4099
Avg length of sending queue.................... 1
Unhold Pkt events.............................. 0
Not held due to no members..................... 0
Max held duration (sync ticks)................. 0
Avg held duration (sync ticks)................. 0
Timers:
Sync tick (ms)................................. 100
CPHA tick (ms)................................. 100
Queues:
Sending queue size............................. 512
Receiving queue size........................... 256
----------------------------------------------------
Summarized statistics for all Virtual Devices:
Blocked packets................................ 0
Hold Pkts events............................... 0
*Use -vs flag for specific Virtual Device information
###
Both of the above commands have optional switches:
-reset - resets counters and print's out standard information
-a - shows statistics per VS
Resolution
N/A
Workaround
N/A
Feedback
Yes
No
Powered by
