On Thu, May 26, 2005 at 05:48:41PM -0400, Michael Robare wrote:
> Hi All - I don't remember if I ever posted this question or not.
>
> We have two Nokia IP500's running software release: 3.6FCS6 and ver:1061-2003
>
> I don't know much about these boxes (a consultant install) - just enough to
> be dangerous.
>
> They are configured in VRRP failover.
>
> The issue/symptom is this -
> We use HTTP to management the boxes.
> Access to the Primary is no problem. The screens come up in a matter of
> seconds.
>
> The problem is the Secondary - it takes many seconds sometimes minutes to
> get bring up a screen.
>
> Any ideas on this - aside, of course, from the normal cable/port duplex and
> speed settings.
>
What IP address are you using as the http address? Imagine the following
setup:
You (192.168.0.5) ---- (192.168.0.1 VRRP) 10.0.0.1 (VRRP)
(192.168.0.2 Primary 10.0.0.2)
(192.168.0.3 Secondary 10.0.0.3)
Now if you try to manage the secondary using 10.0.0.3, your default route
(or your router if things are more complex) will send the packets to the
VRRP address which is reall the primary which will then route them over the
external interface. The replies, however, will return directly from the
secondary, as it knows where to send them. This confuses Checkpoint's state
table something chronic, as each one is only seeing half the connection.
The easiest solution is of course to manage them from the closest IP
address, which in this case is 192.168.0.3 (or .2 for the primary). If this
is not an easy solution, then you need to route 10.0.0.3/32 at 192.168.0.3.
In the above diagram this would be a statc on the workstation, which is not
ideal, but you only need to do that for those devices that are authorized to
manage the firewall. If there's a router between you and the firewall, then
add the route there (adding a route that maps 10.0.0.2/32 -> 192.168.0.2 at
the same time is a terribly good idea. The primary isn't *always* the master
:>)
This may not be your problem, however... :>
Smaff
--
You happen to be here, now.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
