...
not sure based on the information you are giving... but seems like you may
have an asymmetric routing problemoooOOoo... =)
....we
all know that asymmetric routing is not a very secure setup... (bad, bad,
bad)... anyhow...
do you
have state synchronization enabled? if not,
then:
-physically disconnect firewalls from external (public
segments) and internal (private segments) <paranoid? ;)
>
-fwstop on both fw's
-on both firewalls make a sync.conf
file under the $FWDIR/conf directory...
-in each
sync.conf file (just a text file) place the other firewall's IP address
(hint: echo "ip_address" > sync.conf )
-do an fwputkey on each fw with other's IP using same
passkey (i.e fw putkey -p <password>
other_fw_ip_address)
-fwstart...
-depending on your policies, you may need to allow the fw's
to talk with one another via tcp:259 (if remember ...correct me if I'm
wrong...too lazy to look up right now... but it is in the arch. admin.
manual)
Try to
use a dedicated 100mbs full duplex or faster segment for the state sync...
however, keep in mind though, that if clients are on segments that
access the database faster than 100ms, your connections may drop
substantially...
Are
you using a third party HA (standby or cluster) solution ??...
...may
want to think about StoneBeat, Alteon, Rainfinity, etc... since then you
can use a single IP address for both FW's having only one default route on your
internal and external devices and not worry about asymmetric
routing....theoritically that is... <grin>
=)
Amin Tora This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally destined. The use of this information and unauthorized access to this information for any other means is strictly prohibited. The content of this message may also contain private views and opinions that do not constitute a formal disclosure or commitment unless specifically stated.
|