Hi All,
|--(internal)-FirewallA-(external)--|
| |
hostX ---|
|--CiscoRouterY--(Internet)
| |
|--(internal)-FirewallB-(external)--|
hostX IP: 192.168.10.100/24
FirewallA:
internal IP: 192.168.10.2/24
external IP: 192.168.12.2/24
FirewallB:
internal IP: 192.168.10.3/24
external IP: 192.168.12.3/24
clusterXL IP:
internal IP: 192.168.10.1/24
external IP: 192.168.12.1/24
CiscoRouterY:
internal IP: 192.168.12.4/24
external IP: 4.2.2.2
Both FirewallA and FirewallB are running NG with AI R55W and HFA_04. The
management Server is provider-1 NG with AI R55w. FirewallA and FirewallB
are running ClusterXL HA (Active/Standby) new mode. Failover is working fine,
VPN failover is also working fine. At the moment, FirewallA is the Active
while FirewallB is the Standby. Currently, I have about 10 site-to-site
VPNs between this pair of firewalls to ten different partners and everything
is working perfectly
From FirewallB (when it is in standby mode), whenever I ping hostX, the
tcpdump at hostX always shows that the icmp request always comes from the
ClusterXL IP address:
#hotname
hostX
# tcpdump -i hme0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hme0, link-type EN10MB (Ethernet), capture size 68 bytes
08:05:16.192446 IP 192.168.10.1 > 192.168.10.100: icmp 64: echo request seq 0
08:05:16.193221 IP 192.168.10.100 > 192.168.10.1: icmp 64: echo reply seq 0
08:05:17.192842 IP 192.168.10.1 > 192.168.10.100: icmp 64: echo request seq 256
08:05:17.192895 IP 192.168.10.100 > 192.168.10.1: icmp 64: echo reply seq 256
08:05:18.192943 IP 192.168.10.1 > 192.168.10.100: icmp 64: echo request seq 512
08:05:18.192982 IP 192.168.10.100 > 192.168.10.1: icmp 64: echo reply seq 512
08:05:19.186131 IP 192.168.10.1 > 192.168.10.100: icmp 64: echo request seq 768
08:05:19.186171 IP 192.168.10.100 > 192.168.10.1: icmp 64: echo reply seq 768
[FirewallA]# cphaprob state
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 (local) 192.168.10.2 100% active
2 192.168.10.3 0% standby
[FirewallA]#
[FirewallB]# cphaprob state
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 192.168.10..2 100% active
2 (local) 192.168.10..3 0% standby
[FirewallB]#
so what it means is that when I ping hostX from FirewallB, hostX will see
the clusterXL IP address and the echo reply from hostX will come back to
FirewallA.
Is this the way ClusterXL works? I am confused. Can someone shed some lights
on this? I've never worked with ClusterXL, only with Nokia VRRP and Nokia VRRP
does not behave this way. Is there a way to force FirewallB to use it physical
IP
address instead of ClusterXL IP address?
TIA.
cisco4ng
---------------------------------
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
