Check Point NG Cluster Logging issue

We have a cluster of two NG firewalls. The logging on member-1 is off by a couple of hours and The firewall logs locally. The member-2 is working beautifully.

When I perform a cprestart member-1, it would log to the SmartCenter (management server) normally but then slowly the logs fall behind in time until it is a couple of hours behind again.

I had checked Check Point knowlegeBase and had verified the day light saving time settings on the member-firewalls and the SmartCenter. I have also checked log servers used.

I'm seeking advise wherelse should I look for to trouble shoot this incident. Your assistance is much appreciated.

Doug

Reply to
Doug Fox
Loading thread data ...

But you haven't detailed your cluster logging configuration, which makes it difficult to offer troubleshooting advice.

The first step in sorting logging problems is _always_ Policy/Install Database.../Select All/OK on the SmartCenter - to make sure everybody is on the same page. Next steps are entirely dependent on your topology and logging configuration.

Triffid

Reply to
Triffid

"a couple of hours" meaning exactly what?

"slowly the logs fall behind" meaning that

  1. Initially - the time is correct
  2. After one hour, the time has _drifted_ XX minutes
  3. After two hours, the time has _drifted_ 2 XX minutes
  4. After three hours, the time has _drifted_ 3 XX minutes

Does the time difference ever stop drifting?

Daylight Saving Time is exactly one hour - no more, no less. The result of selecting the wrong time zone would (with few exceptions) be a time difference of some multiple of 60 minutes (one hour) exactly. There are a few locations around the world where the time zone is not exactly a multiple of hours - such as Newfoundland (-3:30), the center of Australia (+09:30), and several nearby islands (Lord Howe, Nauru and Norfolk = +11:30), Afghanistan (+4:30), India (+5:30), Iran (+3:30), Nepal (+5:45), and so on. Selection of a "wrong" time zone (which also effects DST) or date would result in a "fixed" error, not a drift.

On the individual firewalls - what is the "local" time. The command needed is probably something like 'date' or 'time' - see the manual, or it may be shown on a web page from the server. Most computers do not use a hardware clock (such as the BIOS clock on your PC) to keep track of time when the system is running (the BIOS clock keeps track of time when the power is off). Using your windoze box as an example, the O/S has an interrupt routine driven by a counter to cause the O/S's idea of time to be incremented some number of times per second (the original IBM PC running DOS kept track of time by being interrupted 18.5 times a second). If the setting of that counter is wrong, the O/S idea of time will drift by the ratio of the normal verses incorrect counter setting. Another form of error occurs when the computer gets to busy, and neglects to respond to those interrupts. As the "time" is incremented by the interrupt, missing the interrupt will mean that the time is not incremented - falling behind the real wall clock.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.