Hi,
I'd like some clarification regarding the following situation:
Environment:
Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60 HFA04) using 3rd
Party VRRP High Availability and Cluster XL for the SyncNetwork
VRRP:
VRRP Monitored Circuits using Legacy Configuration
3rd Party Configuration (Cluster Object)
Support for non-sticky connections - Disable
Hide Cluster Members outgoing traffic behind the Cluster IP address - Enable
Forward Cluster Incoming traffic to Cluster Members IP address - Enable
Problem:
Assuming this, when we initiate a connection from the active member, if we make
a tcpdump, the connection SourceMac is the VRRP_MAC and SourceIP is the VIP,
and in the SmartTracker we see the ip of the active member being Translated to
the Cluster IP (VIP) by a implied rule, well this is the normal behavior.
If we make a connection from the Standby member we see the connection getting
out (SYN),the SourceMac is the LocalMac and SourceIP is the VIP from
the member, and in the SmartTracker we see the ip of the standby member being
Translated to the Cluster IP (VIP) by a implied rule, the connection is
unsuccessful because the SYNACK will return to the VIP address and will be
processed by the active member and so I cannot initiate any connection using
the standby member, well this should be the normal behavior also.
The problem is that, this behavior is not true on all interfaces of the standby
member, in some interfaces the connection is initiated with SourceMAC=LocalMAC
and SourceIP=LocaIP and in the SmartTracker we don't see the ip of the member
being Translated to the Cluster IP (VIP) by a implied rule and of course with
this behavior the tcp handshake is done and the connection is made.
Can anyone tell which behavior to expect when initiating a connection from a
standby member of a VRRPmc configuration regarding Source Mac address and
source IP address used by the member?
With the checkbox "Hide Cluster Members outgoing traffic behind the Cluster IP
address" enable should not I expect the same behavior on all interfaces? Is
there a configuration per interface?
Thanks in advance.
Pedro Boavida
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
