Screen OS

Hello,

I have tried to find an answer to my relatively specific question but I haven't found anything related to it. I have recently in put 2 SSG5 units in a NSRP cluster: it is working but the number of sessions seen on the backup SSG5 is lower than the number of sessions opened on the master SSG5.

Is it normal? Is it because the sessions are synchronised on a regular basis every X seconds or as soon as a session has been opened ? Here are some elements seen on both cluster , tell me if you need more command outputs or log events.

On the master

fptl-mu:fptl1-mu(M)-> exec nsrp sync global-config check-sum

fptl-mu:fptl1-mu(M)-> get db str

configuration in sync

fptl-mu:fptl1-mu(M)-> get config | inc nsrp

set nsrp cluster id 1

set nsrp cluster name fptl-mu

set nsrp rto-mirror sync

set nsrp rto-mirror route

set nsrp vsd-group master-always-exist

set nsrp vsd-group id 0 priority 60

set nsrp vsd-group id 0 preempt

set nsrp arp 5

set nsrp monitor interface ethernet0/1

set nsrp monitor interface ethernet0/2

fptl-mu:fptl1-mu(M)-> get session

alloc 352/max 16064, alloc failed 0, mcast alloc 0, di alloc failed 0

total reserved 0, free sessions in shared pool 15712

On the backup

fptl-mu:fptl2-mu(B)-> get config | inc nsrp

set nsrp cluster id 1

set nsrp cluster name fptl-mu

set nsrp rto-mirror sync

set nsrp rto-mirror route

set nsrp vsd-group master-always-exist

set nsrp vsd-group id 0 priority 80

set nsrp arp 5

set nsrp monitor interface ethernet0/1

set nsrp monitor interface ethernet0/2

fptl-mu:fptl2-mu(B)-> get session 

alloc 251/max 16064, alloc failed 0, mcast alloc 0, di alloc failed 0

total reserved 0, free sessions in shared pool 15813

Hi,

This is normal. A good explanation can be found here: KB7701.

Kind regards,

Edoaurd

Thanks, this makes sense, is there a reason for not activating this command "set nsrp rto session ageout-ack" in a normal cluster?

This seems to me as a quite normal way of processing sessions. I wouldn't have let the backup unit close a session after the 8* service timout  timer without asking the master if the session is still active.

I have just activated the command on my cluster and synchronised sessions on the backup unit with "exec nsrp sync rto session from peer" to restore the already closed on backup but still active un the master unit sessions. And now the number of sessions is the same on both units 🙂 

Hi,

In many cases the cluster performance is the most important requirement and a couple of lost active sessions because of a failover (this happens no too often) is not considered as a problem. This option reduces the cluster performance, when enabled, and increases the traffic on the HA-links. Sometimes it is also usefull to exclude certain types of traffic from the RTO mirroring (f.i. UDP, ICMP). This can be configured in the FW policies.

Everything depends on the environment/requirements and applications used.

Kind regards,

Edouard