Re: [FW-1] Cluster XL Problem

Subject:	Re: [FW-1] Cluster XL Problem
From:	Dave Aitchison <Dave AT CANBERRADJ DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 25 Jul 2005 11:44:36 +1000

Cisco routers will all have trouble talking to a ClusterXL cluster inload-sharing HA. This is because they throw away any arp responses fora non-multicast IP that contain a multicast MAC. It's an RFC thing thatCisco is enforcing.


As you've done, the fix is to chuck in a static ARP.

Cheers,

Dave Aitchison

Layne Meier wrote:

I just implemented the recommended Cisco configuration information onmy Cisco Swtiches and now I can do Load Sharing Multicast in my cluster.

(See pages 37 and 38 of the NG-AI, R55 ClusterXL Configuration Guide -June 2003).


Mind you, I'm running NG-AI, R55, HFA_R55_15

Thank you all for your assistance

Layne Meier
Atlanta, GA


On Jul 20, 2005, at 9:17 AM, Cassell,Damon Z. wrote:

This is not necessarily true. I've found that Cisco 2950 switches are
plug and play when it comes to multicast addresses and ClusterXL. I'm
currently testing such a configuration.

Page 52 of Checkpoint's ClusterXL R55 guide suggests some hardware, and
there is also an additional sk document mentioned there that talks about
specific switch configurations.

Damon Cassell



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Timothy
Arnold
Sent: Wednesday, July 20, 2005 7:56 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cluster XL Problem

do you have a cisco router/switch in front of them? iirc they cannot
handle
multicast addresses so you need to put a static arp entry in!


----- Original Message -----
From: "Layne Meier" <lmeier AT AJC DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Wednesday, July 20, 2005 12:38 PM
Subject: [FW-1] Cluster XL Problem

I'm having a bit of trouble setting up a VPN-1/Firewall-1 Cluster.

In my attempt, I have all of the appropriate licenses (VFF, ClusterXL,

Policy Server).

I have set up a pair of Sun Netra T-1 105 servers, with a QuadFast
Ethernet Adapter in each of them as the enforcement modules.  I've set

up

a Sun Netra X1 as the management server.  All of these systems are


running

Sun Solaris 8, with the appropriate Solaris patches required by


CheckPoint

installed.

I defined my cluster with the "virtual" IP Addresses that will be


used,

defined the two enforcement modules as cluster members with unique IP
Addresses for their local interfaces.  Pushed a policy to them.

All of this is pretty normal.  However, here is my problem.

If I establish my cluster as a Load Sharing, Multicast cluster, I can


only

ping from my local network, the two unique IP Addresses of the LAN
interfaces of the two enforcement modules.  I cannot ping, the virtual

IP

Address, the external unique IP Addresses, nor the virtual of them.

If I change it to a Load Sharing, Unicast cluster, I can ping all
interfaces, including all virtuals.  I prefer the concept of a load
sharing cluster without having a pivot system.

Any thoughts as to why I can't get Load Sharing Multicast to work?

Thank you,
Layne Meier
Atlanta, GA

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================





Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised.  If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Cluster XL Problem, Layne Meier Re: [FW-1] Cluster XL Problem, Timothy Arnold Re: [FW-1] Cluster XL Problem, Layne Meier Re: [FW-1] Cluster XL Problem, Cassell,Damon Z. Re: [FW-1] Cluster XL Problem, Layne Meier Re: [FW-1] Cluster XL Problem, Dave Aitchison <=

Previous by Date:	[FW-1] R54 SmartDashboard crashes with "FwPolicy.exe - Application Error", Dave Aitchison
Next by Date:	Re: [FW-1] Best CheckPoint on BladeFusion,Alteon,Crossbeam, etc?, Luan Nguyen-Misoft
Previous by Thread:	Re: [FW-1] Cluster XL Problem, Layne Meier
Next by Thread:	Re: [FW-1] Cluster XL sync problem, Lino Eduardo Avila Rodríguez
Indexes:	[Date] [Thread] [Top] [All Lists]