Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a st

Subject:	Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall
From:	fwguru <fwguru AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 17 Jan 2006 20:43:13 -0500

Shane,

Something here does not make sense.  You may need to audit your config to
see if you have a config error.  I would start by checking the ARP table of
your upstream router/switch to see what it sees.

CXL in New Mode uses real IP addresses. GARPs are sent to upstream
router/switch to tell it which is the active member.  The upstream router
will see the VIP tied to the MAC of the active's interface (VIP = Active
MAC). The standby firewall acts as just another node behind the router.
When a failure occurs, a GARP is sent to make the standby's MAC = the VIP
MAC.

Not sure what OS you are running or if you are using CCP (cluster control
proto) with in multicast (default) or broadcast mode. Re-check your config.
Also check the contents of the $FWDIR/boot/ha_boot.conf.  What is the
ccp_mode set to?  If it is multicast, try changing the CCP mode to broadcast
using this command on both of the firewalls:

cphaconf set_ccp broadcast

This command will survive a reboot, but you dont need to reboot or
cprestart.

Check the ARP cache of the upstream router.  You should see the real IPs of
each firewall with its real MAC addresses in b-cast mode.  You will also see
that the VIP is tied to the active member's MAC.

I prefer using CCP broadcast in HA mode, since all upstream routers/switches
will know how to handle "real" unicast MAC addresses.

By the way, CXL works just fine on Splat, and CXL for HA does not require an
additional CXL license.  Not sure how Nokia Clustering works, but if a CP
critical process fails while all interfaces are "up" will Nokia Clustering
failover?

I hope this sheds some light on your situation.

Neil Delacruz

On 1/17/06, Hagedorn, Philipp <Philipp.Hagedorn AT getronics DOT com> wrote:
>
> Hi
>
> unfortunately i cant give any advise on that problem, but one thing that
> is very important for the future, if you do any Clustering with Checkpoint,
> try to get the Checkpoint firewall on a Nokia Box (IP350 etc) a handle the
> whole clustering with the Nokia Clustering features, that is the easiest way
> to get Clustering to work with Checkpoint Firewall. And it works perfect.
> I have around 12 Clusters running with Checkpoint and Nokia and they work
> 100%, with FP3, FP4, NGX whatever it takes.
> It will get a bit more expensive, but what you save with the Cluster XL
> license, you can put in the Nokias.
> Thats good invested money.
> If you need help with Nokia Clustering, let me know.
>
> Greets Phil
>
>
> ________________________________
>
> Von: Mailing list for discussion of Firewall-1 im Auftrag von Shane
> Presley
> Gesendet: Di 17.01.2006 20:33
> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Betreff: [FW-1] Problem with ClusterXL & Traffic sourced from a standby
> firewall
>
>
>
> Hello,
>
> We are running two firewalls (NGX), with ClusterXL New Mode.  One
> firewall (active) carries 100% of the load, and the second carries 0%
> of the load (standby).
>
> The problem is, when the standby firewall goes to originate traffic
> (let's say DNS, NTP, other OS required protocols) they fail.  The
> reason is that the ClusterXL sources the packet from the VIP, not from
> the physical interface.  And that VIP is currently owned by the
> primary firewall.  So the traffic leaves standbyfirewall, but returns
> to activefirewall.
>
> The state tables are sync'd, but the problem is that the firewall that
> gets the traffic (the primary) didn't source the traffic, so it
> discards it.  Meanwhile firewall2 (standby) never sees a reply.
>
> Any work around?
>
> Shane
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Hagedorn, Philipp Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, fwguru <= Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, fwguru

Previous by Date:	Re: [FW-1] QOS on NG AI R55 HFA16, Ray
Next by Date:	[FW-1] Posting on VulnWatch about privilege escalation potential with SecureClient/SR, Ray
Previous by Thread:	[FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Hagedorn, Philipp
Next by Thread:	Re: [FW-1] AW: [FW-1] Problem with ClusterXL & Traffic sourced from a standby firewall, Shane Presley
Indexes:	[Date] [Thread] [Top] [All Lists]