| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] State Table Sync problem
Hi list,
This past weekend we tried setting VRRP monitored circuits on our Nokia
IP440 firewalls (IPSO 3.3, FW-1 v4.1sp3). The problem that I'm running into
is that the state tables are not syncronizing. Here's what we tried:
- created sync.conf on both firewalls. Put IP of other firewall (sync
interface) in them.
- did a fw putkey (ip of other firewall sync interface) on both firewalls.
Also tried the public interface, and also tried both using the -n option.
- made sure that both firewalls had the exact same time.
- multiple reboots
After I set this up, I did a "netstat -an | grep 256" on both of the
firewalls. It shows that the firewall is in a LISTEN state on port 256, and
in a SYN_SENT state on the outgoing connection to the other firewall. If I
go on the second box, it is the same way (listening and in syn_sent state).
I also did a "fw stat -s -t connections" and confirmed that the state tables
are not the same. If I try to ping the second firewall from the first one,
I get echo replies. However, if I try to telnet to port 256, the connection
eventually times out.
The only thing I have different on our end is that instead of using a
crossover cable to connect the 2 firewalls on the sync interface, we've got
both machines plugged into a Nortel switch. We have to have it that way for
right now, because we've got another machine sitting out on that subnet. Is
the switch the problem? If it is, can it be configured to work?
Any help you guys can provide would be great!
--Ryan Vickmark
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
