Hello,
now you got me confused. Given that VRRP is an active-standby mechanism,
then under normal circumstances only one cluster member should be active at
any given time. With this in mind, if packets for server A come out of your
firewall from interface X and its replies go through interface Z, then the
error should be about spoofed packets, provided you have enabled
anti-spoofing checking.
If the error is about out of state packets - and the error is generated by
other than the active cluster member, then you should check your cluster.
You can do that with commands "fw cpl pstat" and "fw tab -t connections -s".
The first one provides information about FW-1's synch mechanism and under
normal operation you should see that the total number of sync packets is non
zero and increasing. The second one gives you information about the number
of connections the firewall knows of and under normal operation the values
must be close in each cluster member. You can find more information about
these commands in Check Point's KB.
On 7/28/05, Lorenzo <satana AT libero DOT it> wrote:
>
> Yep I know, the actual configuration is really absurd (I mean I'm paying
> lotsa money to have kinda kernel 2.2 linux firewall)... This is, as you
> guessued, a big installation and, yes, there's an async routing (I mean
> the
> "returning" connections pass thru a different interface). In your opinion,
> how can I check if the syncronozation is working correctly ?(I'm using
> Nokia
> with VRRP and, as far as I know, the nodes switch correctly from one to
> another. CP is configured with VRRP and there's a syncro net with a
> heartbeat interface. The only difference in my config with Nokia's
> suggested
> one is that the two IP appliances are linked via a crossed cable instead
> of
> a switch).
>
> Thanx in advance
>
> Lorenzo
>
> -----Messaggio originale-----
> Da: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di
> Charalambos
> Klitiropoulos
> Inviato: martedì 26 luglio 2005 23.54
> A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Oggetto: Re: [FW-1] R: [FW-1] Inverted Connections
>
> Disabling stateful inspection will convert a (expensive) stateful firewall
> into a plain packet filtering firewall. Could there be a case of
> asynchronous routing (where incoming packets take a different route than
> outgoing)? Maybe a high availability configuration with non-working
> synchronization? Please note that I have seen drops like that in the past
> (confirmed without asynchronous routing), but every case was in a large
> installation and the percentage of dropped connections was far too low to
> be
> a real problem for the users.
>
> On 7/26/05, Lorenzo <satana AT libero DOT it> wrote:
> >
> > Yes. It's seen as out of state... Obviously if I disable the check on
> > stateful TCP packets the connection works...
> >
> > -----Messaggio originale-----
> > Da: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di
> > Charalambos Klitiropoulos
> > Inviato: lunedì 25 luglio 2005 21.31
> > A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Oggetto: Re: [FW-1] Inverted Connections
> >
> > Hello,
> >
> > is there any information in the information column? There can be cases
> > where
> > FW-1 will drop a connection because of an invalid TCP packet or
> > because of a SmartDefense setting. Even if that connection was
> > originated by HOST1, but
> > SERVER1 sent a packet that FW-1 does not consider to be correct, the
> > drop log entry will show that source was SERVER1 and destination was
> > HOST1. But in every such case you should see some comment in the
> > information column that explains why FW-1 dropped that packet.
> >
> > On 7/25/05, Lorenzo <satana AT libero DOT it> wrote:
> > >
> > > Hi guys
> > > Does anybody has had the same problem ?
> > > Basically, I'm exptecting a connection from HOST1 to SERVER1 on TCP
> > > port, let's say, 6000. This happens, but sometimes I see on the
> > > tracker that there are some connections from SERVER1 to HOST1, with
> > > a "random" destination port and 6000 as source port.
> > >
> > > I'm wandering if this could be a CheckPoint problem....
> > >
> > > Thanx in advance
> > >
> > > Lorenzo
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages, send an email to
> > > LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list, please see the instructions
> > > at http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your subscription
> > > options, email fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
