Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP

from Philipp Mueller [Permanent Link]
Subject: Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP
From: Philipp Mueller <Philipp.Mueller AT CABLECOM DOT CH>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 17 May 2004 11:49:51 +0200 
You are right ARP is really the problem if you use a Virtual IP-@.
Therefore you have to assign a MAC-@ to the virtual IP-@.

If you use L2 Multicast you have to configure on the switch the
relation virtual IP-@ multicast MAC-@ statically.

Otherwise you have to set the virtual IP-@ unicast MAC-@ on
the switch statically.

We have more than 10 clusters working with L2 multicast without
a problem.

cheers
Philipp

>>> shoney.joy AT HAL.HITACHI DOT COM 11.05.2004 23:32:04 >>>

I ran into similar issue on my R55 HA new mode cluster when my Sync
network
when down.

Check it out..

SJ

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Douglas
Sawyer
Sent: Friday, April 30, 2004 12:42 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP

as with stonebeat i understand you must use arps on the switches for
non-vrrp clustering to work. you may even need cams on the layer 2 side
of
the switches as well. Ugly but it does work.

Douglas Sawyer
Security Analyst
248-489-5016
sawyedg AT trinity-health DOT org
sawyedg AT MyAirMail DOT com


>>> Collins.Chris AT FIN.GC DOT CA 4/29/2004 9:56:15 AM >>>
Try adding a static arp entry on the Ciscos for the cluster IP and MAC
address of FW-1. That helped us with the cisco communication.


-----Original Message-----
From:   Not Available [mailto:not_112 AT HOTMAIL DOT COM]
Sent:   April 29, 2004 8:28 AM
To:     FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject:        [FW-1] A deadly cocktail: ClusterXL and Proxy ARP

Hi all,

two old enemies are allying with each other to pop up in my
nightmares.

Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest.

Inside and DMZs, vanilla hub/switches.
Outside, a hub connects the cluster to a couple of Cisco routers
configured
for HSRP redundancy.

Tried out several configurations for the cluster, but the frustrating
results seem to indicate there are serious problems having static NATs
to
work when working with the cluster: cannot reach NATed services from
the
outside.

If I delete the cluster object, assign the Virtual IPs to physical
interfaces to one node while the other is off, it works like a charm.
Automatic ARP does it, OR I can turn it off and use local.arp file.

Working with the cluster is a bit different: outgoing traffic (hidden
behind
cluster external interface) works, inbound traffic doesn't get to the
servers.

A little troubleshooting seems to blame ARP for it all. When using
automatic
ARP, no luck. Using local.arp file, makes no difference. Tried even
fwparp.exe, but it worked a few hours then stopped (maybe when the
router's
arp cache flushed).

I tried using unicast load sharing, multicast (even if my routers seem
not
to like mcast very much), HA new mode. Didn't try legacy mode yet,
just
because it is deprecated by CP's documentation.

What turns out in every case is that the cluster seems able to ARP out
for
the cluster virtual IP address, but can't do it for NATed addresses,
no
matter how I try to set it up.

Using automatic ARP it looks like it doesn't arp at all.

Using local.arp would arp on both nodes, confusing the router (and it
seems
the effect is like no ARP at all...)

Are there any experiences you can share on how to configure the cluster
in
such a configuration? Is it possible to make it work with static NAT?
Should
I use automatic ARP or what?

Thanks you all in advance...

    NA

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] AW: [FW-1] Upgrade_export fail, Alejandro Flores
Next by Date:  [FW-1] Second management server log problem, Udo, Dhr. D. (Dirk)
Previous by Thread:  Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP, Shoney Joy
Next by Thread:  [FW-1] Logging disconnect after midnight, Zeltser, Roman
Indexes:  [Date] [Thread] [Top] [All Lists]