Re: [FW-1] DHCP relay: annoying low port translation

Subject:	Re: [FW-1] DHCP relay: annoying low port translation
From:	Eduardo Bergasa <eduardo.bergasa AT UNIRIOJA DOT ES>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 24 Jan 2007 11:50:49 +0100

Dion-ben Hendriks wrote:

Hi Eduardo,

We (still) have a R54 ClusterXL loadsharing cluster on solaris, with DHCP relay 
for 2 interfaces (out of 12). We've seen the same, only I figured it had to do 
with the difference in the IP source on the packet (the cluster IP) and the 
server IP in the DHCP info (the node interface IP) of the packet.
We also noticed that windows seems to partially process the packet, because an 
ipconfig /renew after a failed DHCP sequence usually works, because windows 
then tries to contact the DHCP server directly, based on the DHCP info form the 
failed attempt.....strange huh...We ended up adding a DHCP relay outside of the 
FW cluster the networks in question....

Dion


Thanks Dion,
I reply to myself. I hope it helps to anyone with the same problem.

Cluster XL does what in Checkpoint documentation is called 'Cluster
hide': Whenever a connection is originated from one of the cluster
nodes, FW-1 changes source address to Cluster IP address, and also
changes original source port using a high port.

Finding where to modify this behaviour is the difficult part of it.

You have to uncheck ClusterXL in General Porperties of the cluster,
after unchecking this option you can access to 3rd Party Configuration
options (where it was supposed to be ClusterXL options), uncheck
'cluster hide' option and back to check ClusterXL on.

After this change DHCP-relay and windows XP will work like a charm.



--
_____________________________________________________
Eduardo Bergasa Balda
UNIVERSIDAD DE LA RIOJA
Servicio Informático    Seguridad Técnica Informática

C/Avenida de La Paz, 93             Tf:+34-941-299560
26006 Logroño - SPAIN               Fx:+34-941-299180

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa Re: [FW-1] DHCP relay: annoying low port translation, Dion-ben Hendriks Re: [FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa <=

Previous by Date:	Re: [FW-1] vpn1 edge adsl cannot connect, Alex
Next by Date:	[FW-1] Réf. : Re: [FW-1] vpn1 edge adsl cannot connect, Bertrand KLOTZ
Previous by Thread:	Re: [FW-1] DHCP relay: annoying low port translation, Dion-ben Hendriks
Next by Thread:	[FW-1] R55 SPLAT last build?, Scarpati Massimiliano
Indexes:	[Date] [Thread] [Top] [All Lists]