[FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standb

Subject:	[FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall
From:	"Hagedorn, Philipp" <Philipp.Hagedorn AT GETRONICS DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 17 Jan 2006 20:52:40 +0100

Hi 
 
unfortunately i cant give any advise on that problem, but one thing that is 
very important for the future, if you do any Clustering with Checkpoint, try to 
get the Checkpoint firewall on a Nokia Box (IP350 etc) a handle the whole 
clustering with the Nokia Clustering features, that is the easiest way to get 
Clustering to work with Checkpoint Firewall. And it works perfect. 
I have around 12 Clusters running with Checkpoint and Nokia and they work 100%, 
with FP3, FP4, NGX whatever it takes.
It will get a bit more expensive, but what you save with the Cluster XL 
license, you can put in the Nokias. 
Thats good invested money. 
If you need help with Nokia Clustering, let me know.
 
Greets Phil
 

________________________________

Von: Mailing list for discussion of Firewall-1 im Auftrag von Shane Presley
Gesendet: Di 17.01.2006 20:33
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall



Hello,

We are running two firewalls (NGX), with ClusterXL New Mode.  One
firewall (active) carries 100% of the load, and the second carries 0%
of the load (standby).

The problem is, when the standby firewall goes to originate traffic
(let's say DNS, NTP, other OS required protocols) they fail.  The
reason is that the ClusterXL sources the packet from the VIP, not from
the physical interface.  And that VIP is currently owned by the
primary firewall.  So the traffic leaves standbyfirewall, but returns
to activefirewall.

The state tables are sync'd, but the problem is that the firewall that
gets the traffic (the primary) didn't source the traffic, so it
discards it.  Meanwhile firewall2 (standby) never sees a reply.

Any work around?

Shane

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Hagedorn, Philipp <= Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, fwguru Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, fwguru

Previous by Date:	[FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley
Next by Date:	[FW-1] Vulnerability Assessment Software - Opinions, Mears, Shane
Previous by Thread:	[FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley
Next by Thread:	Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, fwguru
Indexes:	[Date] [Thread] [Top] [All Lists]