Hi again,
I've figured out how to make Active/Active work with site-2-site VPN with
Cisco
devices.
1) configure ipso clustering on the first firewall. Make sure you also
define
cluster ip addresses for the sync interface as well. Make sure that you use
forwarding mode and the work assignment should be "static".
2) configure ipso clustering for the second firewall. You just need to enter
the ip address of the first firewall sync interface. It will do the rest for
you.
3) in the checkpoint topology, configure it properly. do not forget to set
the
gateway cluster object to use "load-sharing".
4) push the policy
For some reasons, VPN between checkpoint and cisco does not like work
assignment to be "dynamic" in ipso clustering.
cisco4ng <cisco4ng AT YAHOO DOT COM> wrote: hi folks,
I have the following scenario I am wondering if someone can help me with:
|--CPx--|
hostA-| |---Internet---RouterZ---hostB
|--CPy--|
Checkpoint firewall is NGx R61 with hfa01. Nokia IPSO is ipso4.1 build 19.
hostA is 10.100.109.12/24. HostB is 192.168.109.1/24 (RouterA lo0). RouterZ
is running IOS 12.2(15)T17
I have a site-2-site VPN between CP and RouterA.
When I setup the CP firewall as Active/Standby with simplified VRRP, the VPN
works fine. When I shutdown CPx, the vpn tunnel failover to CPy and I lose
about 1 or maybe 2 ping packets which is expected, when hostA ping hostB
and vice versa through the VPN tunnel.
Now I remove VRRP configuration from CPx and CPy and reboot the firewall.
When CPx and CPY comeback online, I setup ipso clustering in "forwarding"
mode for Active/Active. I also modified the checkpoint policy for
load-balancing
method, and push the policy.
Now I have intermittent vpn connectivity issues. When both firewalls are online
hostA can ping hostB just fine but it always timeout on the first packet.
HostB,
on the other hand, can not ping hostA at all, unless I shutdown either CPx or
CPy. After that, hostB can ping hostA.
Has someone done this before can tell me how to fix this issue? Many thanks in
advance.
---------------------------------
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
