Re: [FW-1] ClusterXL New Mode secondary IPs problem

Subject:	Re: [FW-1] ClusterXL New Mode secondary IPs problem
From:	Cáceres Cotarelo, Francisco Javier <franciscoj.caceres AT GETRONICS DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 17 Nov 2004 15:37:05 +0100

Hi Sal,
 
  I'm using switches, but in this case, we have verified is nothing to do with 
them. CCP works fine either way broadcast/multicast, and the active node 
transition works also well. The only problem is that the overtaking node do not 
release the appropriate gratuitous ARP announcements for the cluster IPs of the 
secondary (not vlans) IPs of the interfaces.
 
  So, if there is no way to notify CP module to monitor every secondary 
interface as well as the primary's, I guess there is no much I can do about it.
 
Thanks anyway for your help mate,
Best regards,
Javier.

________________________________

De: Mailing list for discussion of Firewall-1 en nombre de Previtera, Sal
Enviado el: mié 17/11/2004 14:57
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: Re: [FW-1] ClusterXL New Mode secondary IPs problem



What kind of Network Switch are you using?
Are you using Multicast...by default ClusterXL uses Multicast...may want to
use Broadcast instead.

-----Original Message-----
From: Cáceres Cotarelo, Francisco Javier
[mailto:franciscoj.caceres AT GETRONICS DOT COM]
Sent: Wednesday, November 17, 2004 4:52 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] ClusterXL New Mode secondary IPs problem

Hi guys,

  I've been lately trying to make the ClusterXL new mode to work migrating
from an old StoneBeat installation. The new cluster is formed by two nodes
with SecurePlatform R55. Smartcenter is also R55. The system works well
until we try to use secondary cluster IPs. The problem is more or less de
following:

  Both machines have several NICs to interconnect different subnets. On
several physical interfaces it was needed to configure a few secondary IPs
(eth0:1, eth0:2, and so on). The problem arises when configuring clusterXL
for those secondary IPs. The system works with all the clusterIPs answering
fine to request, but when failover occurs, only the IP cluster of the first
IP (lets say, the one associated with eth0), survives.
  After tracing the issue with an scanner, we observe that the node taking
over releases gratuitous arp for its real IPs and for the cluster IP's, but
only to those cluster IPs related to the main IP of each interface. In other
words, the node do not release gratuitous arp for the cluster IPs of those
secondary IPs defined in the interfaces. If you delete the arp table and
from a node request an ARP for a cluster IP of one of these secondary
cluster IPs, it works fine, but it does make the system not viable for an
automatic transition.

  I've tried everything like:
enabled proxy_arp feature at the secureplatform level (echo "1"...)
added static routes to the cluster secondary ips through the real ips of the
interfaces.
defined proxy arp static for the secondary's cluster IPs.
Disable Extended cluster anti-spoofing.

  Has any of you got an idea why this is happening? Any help would be more
than appreciated.

Best Regards,
Javier.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] ClusterXL New Mode secondary IPs problem, Cáceres Cotarelo, Francisco Javier Re: [FW-1] ClusterXL New Mode secondary IPs problem, Previtera, Sal Re: [FW-1] ClusterXL New Mode secondary IPs problem, Cáceres Cotarelo, Francisco Javier <= [FW-1] Cluster Synchronization is not working, Oliver

Previous by Date:	Re: [FW-1] ClusterXL New Mode secondary IPs problem, Previtera, Sal
Next by Date:	Re: [FW-1] VPN Routing and vpn_route.conf file, José María Gabaldón
Previous by Thread:	Re: [FW-1] ClusterXL New Mode secondary IPs problem, Previtera, Sal
Next by Thread:	[FW-1] Cluster Synchronization is not working, Oliver
Indexes:	[Date] [Thread] [Top] [All Lists]