Q: How do I check if state sync is working between the firewalls?
A: Used to be able to use
netstat -an on previous versions of FW-1; this no longer works. Those older versions used TCP to synchronize the connections table; newer versions use a custom UDP-like L2 protocol.
cphaprob state is supposed to give the status of the HA config. However, according to Nokia, it is more reliable to execute fw tab -t connections -s on each firewall, then compare the value for #VALS (which is the number of entries in the connection table). They should be close.
2 Comments:
You can also run "fw ctl pstat". The end of the output shows the Sync packet information. Run it twice and verify that packets sent and recieved are increasing. Do this on both (or all) firewalls in the cluster.
in clish you can also run "show clusters" and get alot of useful info.
Post a Comment
<< Home