Hello,
I am going to ask some basic questions...since you are using Cisco 6509
gear...how are you trunking ?
802.1q or the Cisco proprietary ISL?
Does Solaris support the same type trunking?
Are both Cisco 6509 on the same VTP domain?
Have you tried using broadcast(unicast) instead of Multicast ? to see if it
is a Muticast issue...
Regards
"Alex S." <alexals AT KKIPC DOT COM> wrote:
Hi,
Thanks for your sharing. By the way, I'm not using SPLAT and my setup
consist of 3 enforcement modules (2 connected to Cisco 6509 switch (A)
and 1 to another Cisco 6509 (B) which in turns trunked together via a
fiber link). The synchronization works across these switches using our
test machine (which is running on Linux platform), but it fails on 3
enforcement modules (which is running on Solaris) in our live network.
Am trying to troubleshoot this at this moment.
Regards,
Al
Richard wrote:
> Hi,
>
> my lab setup consist of 2 enforcement modules running
> SPLAT R55 with Rainwall/RainConnect 3.1 SP5 and a
> separate management station running on Windows.
>
> When I disabled the cluster membership (if I remember
> correctly), cpconfig restarted the FW1 services on
> SPLAT without a need to completely reboot).
>
> I disabled cluster membership on each module and only
> after that I enabled it again on each module.
>
> I never tested disabling/enabling one module at a time
> before yesterday. Returning to my lab after changing
> some networking equipement, I found out that the two
> modules were listing the other as down with cphaprob
> state.
>
> So I did the change one module at a time. Using SPLAT
> (I don't know if it's the same for Solaris) cpconfig
> restarts the FW-1 service after the changes. And it
> worked just fine.
>
> I think this problem happened mostly when I was doing
> some heavy configuration change in the cluster
> properties and the RainWall configuration at the same
> time.
>
> HTH,
>
> Richard
>
> --- "Alex S." a écrit :
>
>
>> Hi,
>>
>> Did you did it one by one on each enforcement
>> module? AFAIK, if I
>> disable and enable back the cluster membership,
>> that's mean I have to
>> reboot it back. How's your lab setup looks like? Is
>> it similar to my
>> problems? Mind to share your experience on setting
>> up this firewall
>> cluster and what's your solution?
>>
>> Thanks very much,
>>
>> Regards,
>>
>> Al
>>
>> Richard wrote:
>>
>>> Hi,
>>>
>>> I had a similar problem in my lab setup but not
>>>
>> once
>>
>>> in my production environement. Haven't found out
>>>
>> why
>>
>>> exactly.
>>>
>>> My solution was to ( on each enforcement module ):
>>> - enter cpconfig
>>> - disable cluster membership
>>> - exit cpconfig
>>> - reenter cpconfig
>>> - reenable cluster membership.
>>>
>>> I got the active status back on all enforcement
>>> module.
>>>
>>> Hope this helps,
>>>
>>> Richard
>>>
>>> --- "Alex S." a écrit :
>>>
>>>
>>>
>>>> Platform: NG AI R55 HFA17 on Solaris 9, 3
>>>> enforcement, 4 interface (1
>>>> external, 2 internal, 1 heartbeat), SUN Gigaswift
>>>> QuadCard.
>>>> 3rd party software : RainWall 3.1 SP5 R1
>>>>
>>>> If you look at the following, you see that every
>>>> enforcement showed
>>>> their remote peers are down. A reboot didn't fix
>>>>
>> it.
>>
>>>> Any ideas on
>>>> troubleshooting?
>>>>
>>>> Enforcement 1:
>>>>
>>>> bash-2.05# cphaprob state
>>>> Cluster Mode: Sync only (OPSEC)
>>>> Number Unique Address Firewall State
>>>>
>> (*)
>>
>>>> 1 (local) 10.1.0.1 active
>>>> 2 10.1.0.2 down
>>>> 3 10.1.0.3 down
>>>> (*) FW-1 monitors only the sync operation and the
>>>> security policy. Use
>>>> OPSEC's monitoring tool to get the cluster
>>>>
>> status.
>>
>>>> Enforcement 2:
>>>>
>>>> bash-2.05# cphaprob state
>>>> Cluster Mode: Sync only (OPSEC)
>>>> Number Unique Address Firewall State
>>>>
>> (*)
>>
>>>> 1 10.1.0.1 down
>>>> 2(local) 10.1.0.2 active
>>>> 3 10.1.0.3 down
>>>> (*) FW-1 monitors only the sync operation and the
>>>> security policy. Use
>>>> OPSEC's monitoring tool to get the cluster
>>>>
>> status.
>>
>>>> Enforcement 3:
>>>>
>>>> bash-2.05# cphaprob state
>>>> Cluster Mode: Sync only (OPSEC)
>>>> Number Unique Address Firewall State
>>>>
>> (*)
>>
>>>> 1 10.1.0.1 down
>>>> 2 10.1.0.2 down
>>>> 3(local) 10.1.0.3 active
>>>> (*) FW-1 monitors only the sync operation and the
>>>> security policy. Use
>>>> OPSEC's monitoring tool to get the cluster
>>>>
>> status.
>>
>>>> Description:
>>>>
>>>> Both enforcement 1 & 2 are connected to Cisco
>>>>
>> 6509
>>
>>>> switches through a
>>>> VLAN10, while enforcement 3 is connected on
>>>>
>> another
>>
>>>> Cisco 6509 switch
>>>> through the same VLAN10. Both Cisco 6509 switches
>>>> are located far from
>>>> each other and connected via a fiber links which
>>>>
>> are
>>
>>>> trunked. These
>>>> enforcements are installed with RainWall 3.1 SP5
>>>>
>> R1.
>>
>>>> RainWall is a
>>>> OPSEC's 3rd party load balancing software.
>>>>
>>>> According to ClusterXL document, I need to
>>>> configured both switches for
>>>> "no igmp snooping" in order to disable IGMP
>>>> advertisement on Cisco 6509
>>>> switches. Once done, I reboot simultaneously all
>>>> three enforcement in
>>>> the firewall cluster and observes the
>>>> synchronization activity on each
>>>> other. All of them are successfully synchronized
>>>> but... when I checked
>>>> again using a command "cphaprob state", I found
>>>>
>> out
>>
>>>> every enforcement
>>>> seeing each other down. I keep rebooting each
>>>>
>> other
>>
>>>> but I got the same
>>>> problem as shown above. It does not synchronize
>>>> after that.
>>>>
>>>> Frustrated with this problem and since this are a
>>>> production firewall
>>>> cluster, I set up three test machine (using
>>>>
>> Linux)
>>
>>>> in order to simulate
>>>> our live firewall cluster. It uses 100Mbps NIC
>>>>
>> card
>>
>>>> as opposed to
>>>> production firewall cluster which is using SUN
>>>> Gigaswift QuadCard. It
>>>> works well and able to synchronize on each other.
>>>>
>>>> I found out another solution which is to set a
>>>> permanent multicast
>>>> address on both Cisco 6509 switches which is also
>>>> stated in the
>>>> ClusterXL document. But, I wonder... If our test
>>>> firewall cluster are
>>>> able to synchronize well with only set both
>>>>
>> switches
>>
>>>> for "no igmp
>>>> snooping", by right our existing production
>>>>
>> firewall
>>
>>>> cluster (which is
>>>> running on Solaris) should work as well... am I
>>>> right?
>>>>
>>>> If I need to set multicast address on switches,
>>>>
>> how
>>
>>>> do I determine the
>>>> multicast address being used by the firewall
>>>> cluster? By right, it
>>>> should be a default multicast address am I right?
>>>>
>>>> Thanks for all who helps me.
>>>>
>>>> Regards,
>>>>
>>>> Al
>>>>
>>>> =================================================
>>>> To set vacation, Out-Of-Office, or away messages,
>>>> send an email to
>>>>
>> LISTSERV AT amadeus.us.checkpoint DOT com
>>
>>>> in the BODY of the email add:
>>>> set fw-1-mailinglist nomail
>>>> =================================================
>>>> To unsubscribe from this mailing list,
>>>> please see the instructions at
>>>> http://www.checkpoint.com/services/mailing.html
>>>> =================================================
>>>> If you have any questions on how to change your
>>>> subscription options, email
>>>> fw-1-owner AT ts.checkpoint DOT com
>>>> =================================================
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
> === message truncated ===
>
>
>
>
>
>
>
> __________________________________________________________
> Lèche-vitrine ou lèche-écran ?
> magasinage.yahoo.ca
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
