Hi,
my lab setup consist of 2 enforcement modules running
SPLAT R55 with Rainwall/RainConnect 3.1 SP5 and a
separate management station running on Windows.
When I disabled the cluster membership (if I remember
correctly), cpconfig restarted the FW1 services on
SPLAT without a need to completely reboot).
I disabled cluster membership on each module and only
after that I enabled it again on each module.
I never tested disabling/enabling one module at a time
before yesterday. Returning to my lab after changing
some networking equipement, I found out that the two
modules were listing the other as down with cphaprob
state.
So I did the change one module at a time. Using SPLAT
(I don't know if it's the same for Solaris) cpconfig
restarts the FW-1 service after the changes. And it
worked just fine.
I think this problem happened mostly when I was doing
some heavy configuration change in the cluster
properties and the RainWall configuration at the same
time.
HTH,
Richard
--- "Alex S." <alexals AT KKIPC DOT COM> a écrit :
> Hi,
>
> Did you did it one by one on each enforcement
> module? AFAIK, if I
> disable and enable back the cluster membership,
> that's mean I have to
> reboot it back. How's your lab setup looks like? Is
> it similar to my
> problems? Mind to share your experience on setting
> up this firewall
> cluster and what's your solution?
>
> Thanks very much,
>
> Regards,
>
> Al
>
> Richard wrote:
> > Hi,
> >
> > I had a similar problem in my lab setup but not
> once
> > in my production environement. Haven't found out
> why
> > exactly.
> >
> > My solution was to ( on each enforcement module ):
> > - enter cpconfig
> > - disable cluster membership
> > - exit cpconfig
> > - reenter cpconfig
> > - reenable cluster membership.
> >
> > I got the active status back on all enforcement
> > module.
> >
> > Hope this helps,
> >
> > Richard
> >
> > --- "Alex S." <alexals AT KKIPC DOT COM> a écrit :
> >
> >
> >> Platform: NG AI R55 HFA17 on Solaris 9, 3
> >> enforcement, 4 interface (1
> >> external, 2 internal, 1 heartbeat), SUN Gigaswift
> >> QuadCard.
> >> 3rd party software : RainWall 3.1 SP5 R1
> >>
> >> If you look at the following, you see that every
> >> enforcement showed
> >> their remote peers are down. A reboot didn't fix
> it.
> >> Any ideas on
> >> troubleshooting?
> >>
> >> Enforcement 1:
> >>
> >> bash-2.05# cphaprob state
> >> Cluster Mode: Sync only (OPSEC)
> >> Number Unique Address Firewall State
> (*)
> >> 1 (local) 10.1.0.1 active
> >> 2 10.1.0.2 down
> >> 3 10.1.0.3 down
> >> (*) FW-1 monitors only the sync operation and the
> >> security policy. Use
> >> OPSEC's monitoring tool to get the cluster
> status.
> >>
> >>
> >> Enforcement 2:
> >>
> >> bash-2.05# cphaprob state
> >> Cluster Mode: Sync only (OPSEC)
> >> Number Unique Address Firewall State
> (*)
> >> 1 10.1.0.1 down
> >> 2(local) 10.1.0.2 active
> >> 3 10.1.0.3 down
> >> (*) FW-1 monitors only the sync operation and the
> >> security policy. Use
> >> OPSEC's monitoring tool to get the cluster
> status.
> >>
> >>
> >> Enforcement 3:
> >>
> >> bash-2.05# cphaprob state
> >> Cluster Mode: Sync only (OPSEC)
> >> Number Unique Address Firewall State
> (*)
> >> 1 10.1.0.1 down
> >> 2 10.1.0.2 down
> >> 3(local) 10.1.0.3 active
> >> (*) FW-1 monitors only the sync operation and the
> >> security policy. Use
> >> OPSEC's monitoring tool to get the cluster
> status.
> >>
> >>
> >> Description:
> >>
> >> Both enforcement 1 & 2 are connected to Cisco
> 6509
> >> switches through a
> >> VLAN10, while enforcement 3 is connected on
> another
> >> Cisco 6509 switch
> >> through the same VLAN10. Both Cisco 6509 switches
> >> are located far from
> >> each other and connected via a fiber links which
> are
> >> trunked. These
> >> enforcements are installed with RainWall 3.1 SP5
> R1.
> >> RainWall is a
> >> OPSEC's 3rd party load balancing software.
> >>
> >> According to ClusterXL document, I need to
> >> configured both switches for
> >> "no igmp snooping" in order to disable IGMP
> >> advertisement on Cisco 6509
> >> switches. Once done, I reboot simultaneously all
> >> three enforcement in
> >> the firewall cluster and observes the
> >> synchronization activity on each
> >> other. All of them are successfully synchronized
> >> but... when I checked
> >> again using a command "cphaprob state", I found
> out
> >> every enforcement
> >> seeing each other down. I keep rebooting each
> other
> >> but I got the same
> >> problem as shown above. It does not synchronize
> >> after that.
> >>
> >> Frustrated with this problem and since this are a
> >> production firewall
> >> cluster, I set up three test machine (using
> Linux)
> >> in order to simulate
> >> our live firewall cluster. It uses 100Mbps NIC
> card
> >> as opposed to
> >> production firewall cluster which is using SUN
> >> Gigaswift QuadCard. It
> >> works well and able to synchronize on each other.
> >>
> >> I found out another solution which is to set a
> >> permanent multicast
> >> address on both Cisco 6509 switches which is also
> >> stated in the
> >> ClusterXL document. But, I wonder... If our test
> >> firewall cluster are
> >> able to synchronize well with only set both
> switches
> >> for "no igmp
> >> snooping", by right our existing production
> firewall
> >> cluster (which is
> >> running on Solaris) should work as well... am I
> >> right?
> >>
> >> If I need to set multicast address on switches,
> how
> >> do I determine the
> >> multicast address being used by the firewall
> >> cluster? By right, it
> >> should be a default multicast address am I right?
> >>
> >> Thanks for all who helps me.
> >>
> >> Regards,
> >>
> >> Al
> >>
> >> =================================================
> >> To set vacation, Out-Of-Office, or away messages,
> >> send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> >> in the BODY of the email add:
> >> set fw-1-mailinglist nomail
> >> =================================================
> >> To unsubscribe from this mailing list,
> >> please see the instructions at
> >> http://www.checkpoint.com/services/mailing.html
> >> =================================================
> >> If you have any questions on how to change your
> >> subscription options, email
> >> fw-1-owner AT ts.checkpoint DOT com
> >> =================================================
> >>
> >>
> >
> >
> >
> >
> >
>
=== message truncated ===
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
