Hi,
You shouldn't have a problem working with High Availability in NG AI / NGX in
Provider-1. I've successfully configured it numerous times on different
configurations and platforms (SPLAT / Solaris). There are a few important
things you should watch out for:
1. Make sure that routing is setup properly on *both* MDSs.
From each MDS machine you should be able to ping the CMAs which are present
on the peer MDS. The MDS IP (LeadingIP) should be routeable and there should be
a specific route which says that the CMAs are accessible via the MDS IP.
Example:
MDS A [192.168.0.1] MDS B [193.168.0.2]
CMA IP range [1.1.1.2 - 1.1.1.254] CMA IP range [2.2.2.2 - 2.2.2.254]
MDS A should route: 2.2.2.0/24 via 193.168.0.3
MDS B should route: 1.1.1.0/24 via 192.168.0.1
2. Make sure the Leading Interface and IP you chose during installation on
*both*
MDSs is the *external* interface. If not, change the Leading Interface via the
command: mdsconfing to an external one.
3. The MDSs / MLMs should be *clock synchronized* in order to operate
correctly. This is crucial as the synchronization is based on the times. You
could use an NTP or rdate server in order to synch the clocks.
I suggest configuring the status checking interval of each MDS accordingly...
this depends on the no. of CMAs and objects in global and local databases... a
value too high will make the status lag behind, a value too low might put too
much load on your MDSs.
Of course the MDSs / MLMs must all be of the same platform (i.e you can't mix
between a solaris primary MDS and a SPLAT secondary.
Best regards,
Adam.
cisco4ng <cisco4ng AT YAHOO DOT COM> wrote: I am not sure if this thing will
work well in an environment where we have constant
changes to be made to the CMAs and we have about 60 Firewall Administrators
logging into the MDS at the same time. One scenario is that you have one
Firewall
Administrator logging into an Active CMA while the other Firewall
Administrator
logging into a standby CMA and swith the standby CMA into Active. Honestly,
I don't think Checkpoint stress test Active/Standby CMAs in an environment
where
you have constant changes.
I will start testing this and keep everyone posted.
cisco4ng
chkp tech wrote:
I've setup and used HA CMAs and in NGX this has been revised quite a bit.
I've found that if everything is setup correctly, and connectivity isn't
hampered, then it works quite well. I'd suggest knowing which MDS will have
all of the secondary CMAs and keep them there. This makes your life quite a
bit easier. If you run into trouble, look at connectivity first.
Jason
On 3/7/06, cisco4ng wrote:
>
> Hello gurus,
>
> Is anyone currently deploying Provider-1 NG with AI R55w or
> Provider-1 NGx R60 or R60A in production with High Availability
> (i.e. Active/Standby) CMAs?
>
> We are currently looking at the posibility of implementing
> Provider-1 with Active/Standby CMA. The Active/Standby will not
> be residing at the same location. For example, the Active
> CMA will be residing in the USA while the Standby CMA will be
> residing in Europe. The Provider-1 between USA and Europe will
> be communicating with each other via a dedicated T3 (45mbps)
> circuit.
>
> The last time I dealt with Active/Standby was back in 2004 with
> NG with AI R55 with HFA_05. It was a total disaster. I had both
> the Primary Provider-1 (Manager & Container) and Secondary
> Provider-1 (Manager & Container) practically on the same physical
> network and they were about 5 feet away from each other. The
> provider-1 Primary & Secondary MDS were in constant collision
> mode (NOT GOOD). Furthermore, I could not switch back and forth
> between the Active/Standby CMA. This damn thing broke before
> I even tried to break it to see how it actually worked in a
> production environment. Needless to say, it was not a good
> experience. Checkpoint TAC could not figure out the problem either.
> I gave up after a few weeks.
>
> Anyone "successfully" deploying Provider-1 NG with AI or NGx with
> Active/Standby CMAs, please comment.
>
> TIA
> cisco4ng
>
>
> ---------------------------------
> Yahoo! Mail
> Bring photos to life! New PhotoMail makes sharing a breeze.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Blab-away for as little as 1�/min. Make PC-to-Phone Calls using Yahoo!
Messenger with Voice.
---------------------------------
Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo!
Messenger with Voice.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
