Re: [FW-1] FLAPPING CROSSOVER

[GoddardM [Permanent Link]]

The problem with HFA08, if you've watched the mailing list, is that it
broke:
Secure Client/Secure Remote
VPN Tunnels

So, in my opinion, that is not a fix. I have heard HFA09 is a little
better, then again, I have also heard the VPN tunnels were still broken.
This is still not acceptable for us, so we have yet to upgrade.

Bugs I have seen:
When installing policy, failover may occur. You can fix this by setting: fw
ctl set int fwha_freeze_state_machine_timeout 30
Disable it by giving the value of 0.

Use cpstop and cpstart instead of the cprestart commands. Sometimes
cprestart leaves clusters in an unstable state.

Legacy Unicast HA mode went away after FP2. It has returned in R55.

Try to keep your synch interface on a crossover or hub. Hub is preferred,
unless you want to mess with the multicast/broadcast stuff you have seen
already sent to the mailing list. If you have three or more, you might get
into a situation where you want to use a switch. Then you need to make sure
you have a dedicated VLAN and that the switch will do multicasts, or set
CCP to be broadcast.

Synch over a WAN is a bad idea, avoid it if you can. Something like this:
synch network must guarantee no more than 100ms latency, and no more than
5% packet loss. (WAN is very hard to control, I'd recommend avoiding doing
synch that way). Also, routers will drop the CCP packets of ClusterXL. You
MAY be able to get around this with a helper-address on Cisco routers, or
something similar on other routers. Not sure, I have not tried.

User-Auth sessions are lost if a cluster member goes down. This is the
functionality of the firewalls, not really a bug. Just a FYI. User-Auth
sessions go to your security-server so they cannot be synched.


There! I have dumped what I can remember! The ClusterXL docs are a great
place, this is where I got most of this info. SK is also a great place to
look. The cphaprob script is very cool.

Hope this helped at least someone! The synch stuff is really useful for any
type of HA, not just ClusterXL.

Regards,
Matt Goddard
Security Information Team
Schneider National
920-592-4787
goddardm AT schneider DOT com



|---------+-------------------------------------------->
|         |           Claudia Cordova                  |
|         |           <ccordova AT SEFISA DOT COM>            |
|         |           Sent by: Mailing list for        |
|         |           discussion of Firewall-1         |
|         |           <FW-1-MAILINGLIST AT AMADEUS.US DOT CHEC|
|         |           KPOINT.COM>                      |
|         |                                            |
|         |                                            |
|         |           09/17/2004 10:21 AM              |
|         |           Please respond to Mailing list   |
|         |           for discussion of Firewall-1     |
|         |                                            |
|---------+-------------------------------------------->
  
>----------------------------------------------------------------------------------------------|
  |                                                                             
                 |
  |       To:       FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM           
                        |
  |       cc:                                                                   
                 |
  |       Subject:  Re: [FW-1] FLAPPING CROSSOVER                               
                 |
  
>----------------------------------------------------------------------------------------------|




I before had this problem. It's resolved with HFA08 installed in
Enforcement
Modules.

Claudia Cordova
Soporte Tecnico
SEFISA
El Salvador-Centroamerica
ccordova AT sefisa DOT com
Tel: (503)2890097
Cel: (503)8512041
-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] En nombre de Torkel
Mathisen
Enviado el: Friday, September 17, 2004 9:07 AM
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: Re: [FW-1] FLAPPING CROSSOVER

Hi Matt

Could you perhaps share some of those bugs with this list?

We have several issues with Cluster-XL. We seem to have
fixed some of them, but I'm not sure about all.

We also have a problem where we only can ping hosts when we
actually snoop/tcpdump on the interface. As soon as we stop
dump'ing we can't ping the host anymore. (We had to swich
to secondary node to get it to work ok)

I would like to know you experiences with ClusterXL and the
problems you know.

Thanks,
Torkel

> -----Original Message-----
> From: GoddardM AT SCHNEIDER DOT COM [mailto:GoddardM AT SCHNEIDER DOT COM]
> Sent: 15. september 2004 15:31
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] FLAPPING CROSSOVER
>
>
> Are you running ClusterXL, or other? What OS? There are quite
> a few bugs I
> know of in just ClusterXL alone with synch...
> Perhaps I may be able to help you. Let the mailing list know. :-)
>
>
> Regards,
> Matt Goddard
> Security Information Team
> Schneider National
> 920-592-4787
> goddardm AT schneider DOT com
>
>
>
> |---------+-------------------------------------------->
> |         |           "Garner, Annette K **BETH"       |
> |         |           <KAGarner AT ARCHCHEMICALS DOT COM>     |
> |         |           Sent by: Mailing list for        |
> |         |           discussion of Firewall-1         |
> |         |           <FW-1-MAILINGLIST AT AMADEUS.US DOT CHEC|
> |         |           KPOINT.COM>                      |
> |         |                                            |
> |         |                                            |
> |         |           09/15/2004 06:18 AM              |
> |         |           Please respond to Mailing list   |
> |         |           for discussion of Firewall-1     |
> |         |                                            |
> |---------+-------------------------------------------->
>
> >-------------------------------------------------------------
> ---------------------------------|
>   |
>                                    |
>   |       To:
> FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>                |
>   |       cc:
>                                    |
>   |       Subject:  [FW-1] FLAPPING CROSSOVER
>                                    |
>
> >-------------------------------------------------------------
> ---------------------------------|
>
>
>
>
> I have swapped out the cable and switched to a new nic with
> the no luck.
> I turned off auto-negotiated and set it to 100baseTX-FD
> flow-control on
> both boxes.
>
>
>
> Thanks,
>
> Annette
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================