Hi,
Did you did it one by one on each enforcement module? AFAIK, if I
disable and enable back the cluster membership, that's mean I have to
reboot it back. How's your lab setup looks like? Is it similar to my
problems? Mind to share your experience on setting up this firewall
cluster and what's your solution?
Thanks very much,
Regards,
Al
Richard wrote:
Hi,
I had a similar problem in my lab setup but not once
in my production environement. Haven't found out why
exactly.
My solution was to ( on each enforcement module ):
- enter cpconfig
- disable cluster membership
- exit cpconfig
- reenter cpconfig
- reenable cluster membership.
I got the active status back on all enforcement
module.
Hope this helps,
Richard
--- "Alex S." <alexals AT KKIPC DOT COM> a écrit :
Platform: NG AI R55 HFA17 on Solaris 9, 3
enforcement, 4 interface (1
external, 2 internal, 1 heartbeat), SUN Gigaswift
QuadCard.
3rd party software : RainWall 3.1 SP5 R1
If you look at the following, you see that every
enforcement showed
their remote peers are down. A reboot didn't fix it.
Any ideas on
troubleshooting?
Enforcement 1:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 (local) 10.1.0.1 active
2 10.1.0.2 down
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster status.
Enforcement 2:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 10.1.0.1 down
2(local) 10.1.0.2 active
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster status.
Enforcement 3:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State (*)
1 10.1.0.1 down
2 10.1.0.2 down
3(local) 10.1.0.3 active
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster status.
Description:
Both enforcement 1 & 2 are connected to Cisco 6509
switches through a
VLAN10, while enforcement 3 is connected on another
Cisco 6509 switch
through the same VLAN10. Both Cisco 6509 switches
are located far from
each other and connected via a fiber links which are
trunked. These
enforcements are installed with RainWall 3.1 SP5 R1.
RainWall is a
OPSEC's 3rd party load balancing software.
According to ClusterXL document, I need to
configured both switches for
"no igmp snooping" in order to disable IGMP
advertisement on Cisco 6509
switches. Once done, I reboot simultaneously all
three enforcement in
the firewall cluster and observes the
synchronization activity on each
other. All of them are successfully synchronized
but... when I checked
again using a command "cphaprob state", I found out
every enforcement
seeing each other down. I keep rebooting each other
but I got the same
problem as shown above. It does not synchronize
after that.
Frustrated with this problem and since this are a
production firewall
cluster, I set up three test machine (using Linux)
in order to simulate
our live firewall cluster. It uses 100Mbps NIC card
as opposed to
production firewall cluster which is using SUN
Gigaswift QuadCard. It
works well and able to synchronize on each other.
I found out another solution which is to set a
permanent multicast
address on both Cisco 6509 switches which is also
stated in the
ClusterXL document. But, I wonder... If our test
firewall cluster are
able to synchronize well with only set both switches
for "no igmp
snooping", by right our existing production firewall
cluster (which is
running on Solaris) should work as well... am I
right?
If I need to set multicast address on switches, how
do I determine the
multicast address being used by the firewall
cluster? By right, it
should be a default multicast address am I right?
Thanks for all who helps me.
Regards,
Al
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
