Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] VRRP, failover and ARP on FW-1

To: [email protected]
Subject: [FW-1] VRRP, failover and ARP on FW-1
From: Gordon Webber <[email protected]>
Date: Tue, 15 Jan 2002 20:06:35 +0000
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi All,
Just when I thought I was getting the hang of this.................

Two (connected) questions if I may ; this is a live problem so I would
*really* appreciate some fast help here.

1. Failover failure
I have a two-tier firewall system with a FW-1 layer on Nokia IP440 sitting
behind a Cisco PIX 525 layer.
I use VRRP Monitored Circuits on the Nokias, and "Gateway Clustering" at
the FW-1 level to provide my failover.
The VRRP consists of 4 interfaces monitoring each other, and failing all
over to the standby unit in the even of a problem on any one.

On the testbed this worked fine and I pulled the RJ45 from any interface
the whole box filed over.
Last Sunday we took a hit (unknown as yet) on the physical circuit from one
of these interfaces. It was a connection between the FW-1 and the PIX. What
failed was that the Cisco 6509 switch port on the FW-1 side went disabled.
The PIX was happy with its interface although it could not pass data, but
the Nokia platform (ie Voyager) showed its interface as down.
Checking the standby Nokia showed that this circuit, and only this circuit
had failed over. ?

Why ??

2. ARP.
When using VRRP on Nokia it is easy to understand the use of the IP
addresses (ie one per physical interface and one "virtual" address that is
used to reference the platform from elsewhere) but what does Nokia do about
the MAC address.
>From a SHOW  ARP on my other routers etc, I found a MAC address that did
not match anything I could fine displayed on the Voyager interface, or on
the IPSO command line (iclid etc) .
After the above failure, I lost all routing from the PIX to the FW-1 and
had to drop the VRRP completely. So now I am running on only one Nokia with
a manual (and far from "stateful" !!!) failover if we have another problem.


I really need to get to the bottom of this before I try and put the
failover config back in place, so any advice would be soooooo welcome right
now !

Many thanks as always,
Gordon

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] VRRP, failover and ARP on FW-1
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] Unable to open '/dev/fw0': No such device or address
Next by Date: Re: [FW-1] Accept Control Connections disabled
Previous by thread: [FW-1] AW: [FW-1] Unable to open '/dev/fw0': No such device or address
Next by thread: Re: [FW-1] VRRP, failover and ARP on FW-1
Index(es):
- Date
- Thread