[FW-1] ClusterXL New Mode secondary IPs problem

Subject:	[FW-1] ClusterXL New Mode secondary IPs problem
From:	Cáceres Cotarelo, Francisco Javier <franciscoj.caceres AT GETRONICS DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 17 Nov 2004 11:52:29 +0100

Hi guys,
 
  I've been lately trying to make the ClusterXL new mode to work migrating from 
an old StoneBeat installation. The new cluster is formed by two nodes with 
SecurePlatform R55. Smartcenter is also R55. The system works well until we try 
to use secondary cluster IPs. The problem is more or less de following:
 
  Both machines have several NICs to interconnect different subnets. On several 
physical interfaces it was needed to configure a few secondary IPs (eth0:1, 
eth0:2, and so on). The problem arises when configuring clusterXL for those 
secondary IPs. The system works with all the clusterIPs answering fine to 
request, but when failover occurs, only the IP cluster of the first IP (lets 
say, the one associated with eth0), survives.
  After tracing the issue with an scanner, we observe that the node taking over 
releases gratuitous arp for its real IPs and for the cluster IP's, but only to 
those cluster IPs related to the main IP of each interface. In other words, the 
node do not release gratuitous arp for the cluster IPs of those secondary IPs 
defined in the interfaces. If you delete the arp table and from a node request 
an ARP for a cluster IP of one of these secondary cluster IPs, it works fine, 
but it does make the system not viable for an automatic transition.

  I've tried everything like:
enabled proxy_arp feature at the secureplatform level (echo "1"...)
added static routes to the cluster secondary ips through the real ips of the 
interfaces.
defined proxy arp static for the secondary's cluster IPs.
Disable Extended cluster anti-spoofing.

  Has any of you got an idea why this is happening? Any help would be more than 
appreciated.
 
Best Regards,
Javier.
 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] ClusterXL New Mode secondary IPs problem, Cáceres Cotarelo, Francisco Javier <= Re: [FW-1] ClusterXL New Mode secondary IPs problem, Previtera, Sal Re: [FW-1] ClusterXL New Mode secondary IPs problem, Cáceres Cotarelo, Francisco Javier [FW-1] Cluster Synchronization is not working, Oliver

Previous by Date:	[FW-1] SecureClient´s behind Gateways, Verweyen, Dirk
Next by Date:	[FW-1] VPN Routing and vpn_route.conf file, Picard, Beverly
Previous by Thread:	Re: [FW-1] Hello, Kelvin.Garrahan
Next by Thread:	Re: [FW-1] ClusterXL New Mode secondary IPs problem, Previtera, Sal
Indexes:	[Date] [Thread] [Top] [All Lists]