Platform: NG AI R55 HFA17 on Solaris 9, 3 enforcement, 4 interface (1
external, 2 internal, 1 heartbeat), SUN Gigaswift QuadCard.
3rd party software : RainWall 3.1 SP5 R1
If you look at the following, you see that every enforcement showed
their remote peers are down. A reboot didn't fix it. Any ideas on
troubleshooting?
Enforcement 1:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 (local) 10.1.0.1 active
2 10.1.0.2 down
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the security policy. Use
OPSEC's monitoring tool to get the cluster status.
Enforcement 2:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 10.1.0.1 down
2(local) 10.1.0.2 active
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the security policy. Use
OPSEC's monitoring tool to get the cluster status.
Enforcement 3:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 10.1.0.1 down
2 10.1.0.2 down
3(local) 10.1.0.3 active
(*) FW-1 monitors only the sync operation and the security policy. Use
OPSEC's monitoring tool to get the cluster status.
Description:
Both enforcement 1 & 2 are connected to Cisco 6509 switches through a
VLAN10, while enforcement 3 is connected on another Cisco 6509 switch
through the same VLAN10. Both Cisco 6509 switches are located far from
each other and connected via a fiber links which are trunked. These
enforcements are installed with RainWall 3.1 SP5 R1. RainWall is a
OPSEC's 3rd party load balancing software.
According to ClusterXL document, I need to configured both switches for
"no igmp snooping" in order to disable IGMP advertisement on Cisco 6509
switches. Once done, I reboot simultaneously all three enforcement in
the firewall cluster and observes the synchronization activity on each
other. All of them are successfully synchronized but... when I checked
again using a command "cphaprob state", I found out every enforcement
seeing each other down. I keep rebooting each other but I got the same
problem as shown above. It does not synchronize after that.
Frustrated with this problem and since this are a production firewall
cluster, I set up three test machine (using Linux) in order to simulate
our live firewall cluster. It uses 100Mbps NIC card as opposed to
production firewall cluster which is using SUN Gigaswift QuadCard. It
works well and able to synchronize on each other.
I found out another solution which is to set a permanent multicast
address on both Cisco 6509 switches which is also stated in the
ClusterXL document. But, I wonder... If our test firewall cluster are
able to synchronize well with only set both switches for "no igmp
snooping", by right our existing production firewall cluster (which is
running on Solaris) should work as well... am I right?
If I need to set multicast address on switches, how do I determine the
multicast address being used by the firewall cluster? By right, it
should be a default multicast address am I right?
Thanks for all who helps me.
Regards,
Al
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
