Hello,
We are running two firewalls (NGX), with ClusterXL New Mode. One
firewall (active) carries 100% of the load, and the second carries 0%
of the load (standby).
The problem is, when the standby firewall goes to originate traffic
(let's say DNS, NTP, other OS required protocols) they fail. The
reason is that the ClusterXL sources the packet from the VIP, not from
the physical interface. And that VIP is currently owned by the
primary firewall. So the traffic leaves standbyfirewall, but returns
to activefirewall.
The state tables are sync'd, but the problem is that the firewall that
gets the traffic (the primary) didn't source the traffic, so it
discards it. Meanwhile firewall2 (standby) never sees a reply.
Any work around?
Shane
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
