|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Stone Beat Full Cluster
Mark is correct in that you can't do much to troubleshoot unless you provide some more specifics about your configuration. First, ensure your interface speeds and duplex information is forced to an agreeable setting (no autonegotiation) on both the switch and the firewalls. You should ensure that you have static definitions for the multicast MAC on ports to which that particular traffic is to traverse (firewall and trunk ports). If not, this will undoubtedly cause problems identical to the ones that you're describing. You'll be able to verify this by observing traceroute output through the cluster -- it'll bounce between firewalls and routers, but never reliably all the way through. You can also test by placing the test machine on the heartbeat/control interface LAN. This should not be subject to the throughput problems. If it is, check your duplex and speed settings. You must: * Force all interfaces to agreeable settings. * Define multicast mac assignment on router. * Define multicast mac on firewall and trunk ports on the switch. * Remove local default routing information for firewall interfaces. Peter Lukas On Mon, 15 Jan 2001 [email protected] wrote: > > > Hi, > > Usually performance issues are caused by asymmetric routing conditions. > And asymmetric routing conditions with FullCluster means that at least one > of the nodes has an error in its configuration. There are also problems > with the use of Ethernet multicast and Cisco switches that can cause > flooding. For each of these configurations, we would need to know a bit > more about your configuration. If you could tell us, are you using unicast, > multicast MAC or multicast IP? If you are using a multicast IP > configuration, and therefore IGMP, do you have IGMP snooping enabled > elsewhere? Are you using NAT? Dedicated and virtual IPs? Check with > [email protected], or call the support numbers below, and someone > should be able to assist you with the problem. Best of luck! > > ---------------------------------------------------------------- > Mark Boltz Stonesoft, Inc. > Network Security Specialist 115 Perimeter Center Place > [email protected] South Terraces, Suite 1000 > Tel:Atlanta, GA 30346 > Cel:USA > Fax:http://www.stonesoft.com > > New support numbers! > Toll free:> Other areas:> > > > > "Chang, Andre" > <[email protected]> To: "'[email protected]'" > Sent by: <[email protected]> > [email protected] cc: > kpoint.com Subject: [FW1] Stone Beat Full Cluster > > > 01/15/2001 07:30 AM > > > > > > > > I too run checkpoint on a windows nt system using stone beat full cluster > trough a catalyst 6509 switch and there have been a couple of issues that I > am still trying to work out. > > 1. There is still some kind of broadcast or flooding of the network when > using multicast. > > 2. Downloads and access to Web pages through out burst able 45mb port to > the Internet is very slow. Example to download a file from that is 23mb I > get roughly 50 - 60 kbs and download time is roughly 20 to 28 minutes. > > 3. I have tested this three ways to see if it is the firewalls or the > switch. > a. I put a box on the public side of the firewall running parallel to > it > and plugged into a public port of the catalyst and I get download speeds of > roughly 180 - 210 kbs and the same file takes seconds to download. > > b. I try the same thing but now from the DMZ and I get the same speed > as > if I was on the private side 50 -60 kbs > > c. I also try from internal to DMZ and DMZ to internal which produce > the > same results. However going from server to server on the same broadcast > domain through the switch is very fast (which is correct). > > The gist of this is that there is something with firewall-1 running > stonebeat full cluster that has slowed down speed through the firewall > dramatically almost 600% slower than running the firewall-1 solution by it > self. If any one has similar, problems please let me know and also if you > have found a solution to the problem it would be great. > > Andre Chang > Southern Wine And Spirits > > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
