Hi,
I had a similar problem in my lab setup but not once
in my production environement. Haven't found out why
exactly.
My solution was to ( on each enforcement module ):
- enter cpconfig
- disable cluster membership
- exit cpconfig
- reenter cpconfig
- reenable cluster membership.
I got the active status back on all enforcement
module.
Hope this helps,
Richard
--- "Alex S." <alexals AT KKIPC DOT COM> a écrit :
> Platform: NG AI R55 HFA17 on Solaris 9, 3
> enforcement, 4 interface (1
> external, 2 internal, 1 heartbeat), SUN Gigaswift
> QuadCard.
> 3rd party software : RainWall 3.1 SP5 R1
>
> If you look at the following, you see that every
> enforcement showed
> their remote peers are down. A reboot didn't fix it.
> Any ideas on
> troubleshooting?
>
> Enforcement 1:
>
> bash-2.05# cphaprob state
> Cluster Mode: Sync only (OPSEC)
> Number Unique Address Firewall State (*)
> 1 (local) 10.1.0.1 active
> 2 10.1.0.2 down
> 3 10.1.0.3 down
> (*) FW-1 monitors only the sync operation and the
> security policy. Use
> OPSEC's monitoring tool to get the cluster status.
>
>
> Enforcement 2:
>
> bash-2.05# cphaprob state
> Cluster Mode: Sync only (OPSEC)
> Number Unique Address Firewall State (*)
> 1 10.1.0.1 down
> 2(local) 10.1.0.2 active
> 3 10.1.0.3 down
> (*) FW-1 monitors only the sync operation and the
> security policy. Use
> OPSEC's monitoring tool to get the cluster status.
>
>
> Enforcement 3:
>
> bash-2.05# cphaprob state
> Cluster Mode: Sync only (OPSEC)
> Number Unique Address Firewall State (*)
> 1 10.1.0.1 down
> 2 10.1.0.2 down
> 3(local) 10.1.0.3 active
> (*) FW-1 monitors only the sync operation and the
> security policy. Use
> OPSEC's monitoring tool to get the cluster status.
>
>
> Description:
>
> Both enforcement 1 & 2 are connected to Cisco 6509
> switches through a
> VLAN10, while enforcement 3 is connected on another
> Cisco 6509 switch
> through the same VLAN10. Both Cisco 6509 switches
> are located far from
> each other and connected via a fiber links which are
> trunked. These
> enforcements are installed with RainWall 3.1 SP5 R1.
> RainWall is a
> OPSEC's 3rd party load balancing software.
>
> According to ClusterXL document, I need to
> configured both switches for
> "no igmp snooping" in order to disable IGMP
> advertisement on Cisco 6509
> switches. Once done, I reboot simultaneously all
> three enforcement in
> the firewall cluster and observes the
> synchronization activity on each
> other. All of them are successfully synchronized
> but... when I checked
> again using a command "cphaprob state", I found out
> every enforcement
> seeing each other down. I keep rebooting each other
> but I got the same
> problem as shown above. It does not synchronize
> after that.
>
> Frustrated with this problem and since this are a
> production firewall
> cluster, I set up three test machine (using Linux)
> in order to simulate
> our live firewall cluster. It uses 100Mbps NIC card
> as opposed to
> production firewall cluster which is using SUN
> Gigaswift QuadCard. It
> works well and able to synchronize on each other.
>
> I found out another solution which is to set a
> permanent multicast
> address on both Cisco 6509 switches which is also
> stated in the
> ClusterXL document. But, I wonder... If our test
> firewall cluster are
> able to synchronize well with only set both switches
> for "no igmp
> snooping", by right our existing production firewall
> cluster (which is
> running on Solaris) should work as well... am I
> right?
>
> If I need to set multicast address on switches, how
> do I determine the
> multicast address being used by the firewall
> cluster? By right, it
> should be a default multicast address am I right?
>
> Thanks for all who helps me.
>
> Regards,
>
> Al
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
