Hello,
do you use VRRP on your cluster? If so, you must not fill any information on
the topology tab of the cluster object (only in the cluster member objects).
Another possible cause according to CP's knowledge base is when you enter
the NATed IP as the object's IP address and the real address of the server
in the NAT tab (if you use automatic NAT). The last one however does not
seem to be the cause, as you would have noticed these problems right from
the start, but you never know. By the way, do you have another object with
the NATed IP and if so, do you use it anywhere in your policy?
On 6/28/05, Lenny Sanchez <lennys AT healthgate DOT com> wrote:
>
> Hello,
>
> For the last couple of weeks, I've had a problem(s) surface that had never
> come up before. I'm running a cluster configuration of 2 Nokia IP440's with
> Checkpoint NG AI R55. The usual route downstream is from the IDC's router,
> thought the primary firewall, down to a F5 load balance appliance. As you
> all know, the load balancer will then make the decision as to which of the 2
> web servers (Windows 2003 Standard Servers, mutli-homed NICs) to send
> traffic. What we started see happening was, the traffic destined for the
> external interface on the firewall, was instead routing through the internal
> interface. Firewall was saying, "no way, address spoof", and then dropping
> the outbound packets. This started happening out of nowhere. Checked every
> route on every device under the sun. Started to add new one's in hoping I
> could catch a break. You guys have to understand, no other sites/services
> were having this problem. Only these 2003 servers, which had been routing
> correctly for a bit of time.
>
> So as a test, I bypassed the whole DMZ route. Come in through the
> firewalls, go through an internal router, and then to only one of the 2003
> servers. Made the necessary static route change within the firewall. Worked
> for a few days, then start seeing Connection contains real IP of Nated
> address. So, changed over to the other server. Same thing. Traffic is fine
> for a while, and then Connection contains IP of NATed address.
>
> I know I'm missing something. Any help you guys/girls could provide would
> be great.
>
> Thanks
> Lenny
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
