Hello,
i've the following configuration:
1) 2 * NOKIAs: NOKIA650A (internal IP 192.168.186.21)
and NOKIA650B (internal IP 192.168.186.22) working in HA with Monitor
Circuit. NOKIA650A has Logical IP address 192.168.186.31 and NOKIA650B has
logical IP address 192.168.186.32.
Both of them have FW-1 Version 4.1 SP2.
2) 2 * RS/6000 AIX Servers configured with HACMP. Each AIX
Server has 2 Ethernet adapters (1 for polling each other, the other for
connecting to the LAN). AIX1 has IP 192.168.186.41 and
Serves Radius. AIX2 has IP 192.168.186.42 and Servers HTTP. Both of them have default route NOKIA650B logical address (IP
192.168.186.32). AIX1 is nated to 222.X.X.41 and AIX2 is nated to
222.X.X.42. If AIX1 failes, then AIX2 gets AIX1 IP and MAC in the second
adapter, though AIX2 has IP 192.168.186.42 and 192.168.186.41. If AIX2 has
to initiate a connection, the source IP address is <192.168.186.42> (his
own address).
3) 2 * External RAS (IP 222.X.X.100 and 222.X.X.101).
Both of them has default route NOKIA650B external logical IP address. Both
of them authenticates to IP 222.X.X.41.
4) If Both RS/6000 are up, everything goes OK. If AIX2
goes down, everythings goes OK too. But if AIX1 goes down, we begin to see
in the Firewall-1 log the following: Source <222.X.X.100> Dest
<192.168.186.41> Service <Radius> dropped by the last rule (Any Any
Any drop). I mean, suddenly the Firewall-1 drops packets that goes to the
internal IP address of the Radius Server. It's OK that the Firewall-1
drops this packets. WHAT IT'S WRONG is that it's imposible that the RAS
sends a packet to a Internal IP address. We've put a Sniffer between the
Firewall-1 and the RAS and we saw that the RAS sends the packets to IP
<222.X.X.41>, so it's the Firewall-1 who's having problem with his NAT
tables or rules. What is strange too is that not every packet is
dropped: some are dropped, and others goes to the External IP address of
the Radius Server <222.X.X.41>
Has anybody had something similar ?
Thank's in advance, Leonardo.
|