Thursday, January 5, 2012

Checkpoint : Finding memory Leak

A memory leak, technically, is an ever-increasing usage of memory by an application.

With common desktop applications, this may go unnoticed, because a process typically frees any memory it has used when you close the application.

However, In the client/server model, memory leakage is a serious issue, because applications are expected to be available 24×7. Applications must not continue to increase their memory usage indefinitely, because this can cause serious issues. To monitor such memory leaks, we can use the following commands.
[Expert@splat]# ps -aux | sort -k5 -n | tail -5
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root 30912 0.0 2.6 213348 55644 ? Sl 2011 0:07 in.aclientd 259
root 3783 0.0 2.6 213352 55544 ? Sl 2011 0:08 in.asessiond 0
root 30659 0.0 2.6 213436 55768 ? Sl 2011 0:08 in.ahclientd 900
root 3784 0.0 2.7 214356 56572 ? Sl 2011 0:09 in.aufpd 0
root 3504 0.0 3.1 414212 65168 ? Ssl 2011 24:32 fwd

In the above ps command, –sort option outputs the highest %MEM at bottom. Just note down the PID for the highest %MEM usage. Then use ps command to view all the details about this process id, and monitor the change over time. You had to manually repeat ir or put it as a cron to a file.

[Expert@splat1]# ps -ev 3504
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
3504 ? Ssl 24:32 22 78 414133 65168 3.1 fwd PPKDIR=/opt/CPppak-R70 CPMDIR=/opt/CPsuite-R70/fw1 CONSOLE=/dev/console TERM=linux SUDIR=/opt/C

[Expert@splat1]# ps -ev 3504
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
3504 ? Ssl 24:32 22 78 414133 65168 3.1 fwd PPKDIR=/opt/CPppak-R70 CPMDIR=/opt/CPsuite-R70/fw1 CONSOLE=/dev/console TERM=linux SUDIR=/opt/C

Note: In the above output, if RSS (resident set size, in KB) increases over time (so would %MEM), it may indicate a memory leak in the application.

Tuesday, January 3, 2012

Checkpoint : State Syncronization Guide

To reduce or eliminate these error messages verify that you followed the below recomendations:

  • Sync network needs to be dedicated to synchronization only. It is not recommended to run VRRP or IPSO Cluster on sync interfaces (refer to sk39179).
  • Sync interfaces should be configured as a non-ADP interfaces.
  • Synchronization interfaces should be the same speed or faster than the fastest interface on the VRRP or IPSO Cluster. However, this recommendation is impractical when 10 gigabit interfaces are employed. In practice, no more than 2 gigabits of throughput is needed for sync traffic on IPSO Appliances. This means a pair of non-ADP gigabit Ethernet interfaces will be sufficient, though in many cases a single gigabit Ethernet interface will suffice.
  • It is recommended to use a dedicated VLAN on a switch, for Check Point sync traffic from a single cluster only i.e. you should not mix CP sync traffic from other cluster members across this dedicated VLAN. Use of cross-over cable is also supported in a 2-node cluster. Choosing to use a switch or a cross-over cable for CP Sync traffic is a environment preference.
  • For VRRP only - disable synchronization for certain services. This will help stabilize the systems because:
    1. Less memory will be demanded by the sync process. You already saw some related messages in the fwd.elg about sync buffers being full.
    2. This will release the CPU time.

The HTTP, HTTPS and DNS services are good candidates to be taken out of synchronization. Because of their nature, they are not affected on a fail over scenario without synchronization.

  • The following limitations are applicable for state synchronization over wide area network:
    1. The synchronization network must guarantee no more than 100ms latency and no more than 5% packet loss.
    2. The synchronization network may only include switches and hubs. No routers are allowed on the synchronization network, because routers will drop Cluster Control Protocol (CCP) packets . CCP is either Multicast or Broadcast and thus non-routable.
  • If IP cluster is configured between two IPSO Appliances located in two different cities, CCP and VRRP advertisements need to be update quite frequently. Any latency can cause both cluster members to behave abnormally. Also, if there is a break in the WAN link, both will become master, which can also cause problems.
    The solution is to ensure minimal latency between the cluster members and a highly reliable link.

Checkpoint - IPSO - Memory Usage

In Voyager Monitor option select CPU and Memory Utilization . This gives you the Total Real Memory, Active Real Memory and the Free Memory available on the appliance.

For console access use clish to display the Real Memory Used. This value is displayed in terms of percentage value.

ipso[admin]# clish

clish:1> show useful-stats

Components Total

Active Routes 4

Packets Forwarded 0

VRRP Masters 0

Real Memory Used 22%

Disk Capacity 11%

Note: The real physical memory output gathered from Voyager is taken from the kernel directly.