Hi,
1. "how are you trunking ? 802.1q or the Cisco proprietary ISL? "
We have two Cisco 6509 trunked together using 802.1q via fiber link.
2. "Does Solaris support the same type trunking? "
Am not sure about this. I do not use any trunking or VLAN on our
GigaSwift quadcard.
3."Are both Cisco 6509 on the same VTP domain? "
No.
4. "Have you tried using broadcast(unicast) instead of Multicast ? "
Yes. The problem is remain the same... but will do it again sometime
this week.
Regards,
Al
no-need to-list wrote:
Hello,
I am going to ask some basic questions...since you are using Cisco 6509 gear...how are you trunking ?
802.1q or the Cisco proprietary ISL?
Does Solaris support the same type trunking?
Are both Cisco 6509 on the same VTP domain?
Have you tried using broadcast(unicast) instead of Multicast ? to see if it
is a Muticast issue...
Regards
"Alex S." <alexals AT KKIPC DOT COM> wrote:
Hi,
Thanks for your sharing. By the way, I'm not using SPLAT and my setup
consist of 3 enforcement modules (2 connected to Cisco 6509 switch (A)
and 1 to another Cisco 6509 (B) which in turns trunked together via a
fiber link). The synchronization works across these switches using our
test machine (which is running on Linux platform), but it fails on 3
enforcement modules (which is running on Solaris) in our live network.
Am trying to troubleshoot this at this moment.
Regards,
Al
Richard wrote:
Hi,
my lab setup consist of 2 enforcement modules running
SPLAT R55 with Rainwall/RainConnect 3.1 SP5 and a
separate management station running on Windows.
When I disabled the cluster membership (if I remember
correctly), cpconfig restarted the FW1 services on
SPLAT without a need to completely reboot).
I disabled cluster membership on each module and only
after that I enabled it again on each module.
I never tested disabling/enabling one module at a time
before yesterday. Returning to my lab after changing
some networking equipement, I found out that the two
modules were listing the other as down with cphaprob
state.
So I did the change one module at a time. Using SPLAT
(I don't know if it's the same for Solaris) cpconfig
restarts the FW-1 service after the changes. And it
worked just fine.
I think this problem happened mostly when I was doing
some heavy configuration change in the cluster
properties and the RainWall configuration at the same
time.
HTH,
Richard
--- "Alex S." a écrit :
Hi,
Did you did it one by one on each enforcement
module? AFAIK, if I
disable and enable back the cluster membership,
that's mean I have to
reboot it back. How's your lab setup looks like? Is
it similar to my
problems? Mind to share your experience on setting
up this firewall
cluster and what's your solution?
Thanks very much,
Regards,
Al
Richard wrote:
Hi,
I had a similar problem in my lab setup but not
once
in my production environement. Haven't found out
why
exactly.
My solution was to ( on each enforcement module ):
- enter cpconfig
- disable cluster membership
- exit cpconfig
- reenter cpconfig
- reenable cluster membership.
I got the active status back on all enforcement
module.
Hope this helps,
Richard
--- "Alex S." a écrit :
Platform: NG AI R55 HFA17 on Solaris 9, 3
enforcement, 4 interface (1
external, 2 internal, 1 heartbeat), SUN Gigaswift
QuadCard.
3rd party software : RainWall 3.1 SP5 R1
If you look at the following, you see that every
enforcement showed
their remote peers are down. A reboot didn't fix
it.
Any ideas on
troubleshooting?
Enforcement 1:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State
(*)
1 (local) 10.1.0.1 active
2 10.1.0.2 down
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster
status.
Enforcement 2:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State
(*)
1 10.1.0.1 down
2(local) 10.1.0.2 active
3 10.1.0.3 down
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster
status.
Enforcement 3:
bash-2.05# cphaprob state
Cluster Mode: Sync only (OPSEC)
Number Unique Address Firewall State
(*)
1 10.1.0.1 down
2 10.1.0.2 down
3(local) 10.1.0.3 active
(*) FW-1 monitors only the sync operation and the
security policy. Use
OPSEC's monitoring tool to get the cluster
status.
Description:
Both enforcement 1 & 2 are connected to Cisco
6509
switches through a
VLAN10, while enforcement 3 is connected on
another
Cisco 6509 switch
through the same VLAN10. Both Cisco 6509 switches
are located far from
each other and connected via a fiber links which
are
trunked. These
enforcements are installed with RainWall 3.1 SP5
R1.
RainWall is a
OPSEC's 3rd party load balancing software.
According to ClusterXL document, I need to
configured both switches for
"no igmp snooping" in order to disable IGMP
advertisement on Cisco 6509
switches. Once done, I reboot simultaneously all
three enforcement in
the firewall cluster and observes the
synchronization activity on each
other. All of them are successfully synchronized
but... when I checked
again using a command "cphaprob state", I found
out
every enforcement
seeing each other down. I keep rebooting each
other
but I got the same
problem as shown above. It does not synchronize
after that.
Frustrated with this problem and since this are a
production firewall
cluster, I set up three test machine (using
Linux)
in order to simulate
our live firewall cluster. It uses 100Mbps NIC
card
as opposed to
production firewall cluster which is using SUN
Gigaswift QuadCard. It
works well and able to synchronize on each other.
I found out another solution which is to set a
permanent multicast
address on both Cisco 6509 switches which is also
stated in the
ClusterXL document. But, I wonder... If our test
firewall cluster are
able to synchronize well with only set both
switches
for "no igmp
snooping", by right our existing production
firewall
cluster (which is
running on Solaris) should work as well... am I
right?
If I need to set multicast address on switches,
how
do I determine the
multicast address being used by the firewall
cluster? By right, it
should be a default multicast address am I right?
Thanks for all who helps me.
Regards,
Al
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=== message truncated ===
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
