[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG on IPSO 3.4.2 on IP530
The first thing that comes to mind is that you have a license compatibility issue. If, for example, you have an 100 IP address license on the box which is responding normally and a 25 IP address license on the "slow" box but are protecting 50 addresses behind the two of them then the "slow" box will constantly be spewing license violation messages to syslog (usually on the console) and the box will crawl. There was actually a proposed DoS attack of this manner a year or so ago for ANY less than unlimited license. I suppose you could also have the incorrect interface listed in $FWDIR/conf/external.if. Type "dmesg" at the Nokia command prompt and see if FW-1 is spewing about license violations. Chris -----Original Message----- From: Aeon Hale [mailto:[email protected]] Sent: Monday, March 11, 2002 11:16 AM To: [email protected] Subject: Re: [FW-1] NG on IPSO 3.4.2 on IP530 I'm kinda of confused. This nokia box that i'm having issues with seems to be acting "slow". Even if I do something as simple as typing "fw" which should bring up a list of switches for the fw command, it will hang for at least 3-5 minutes before showing the switches. Could this be a problem or could this be caused by something else? The other Nokia box is running perfect, but this one is giving me grief. Any help would be appreciated. Thanks, Aeon -----Original Message----- From: Grabowski, David [mailto:[email protected]] Sent: Friday, March 08, 2002 2:42 PM To: [email protected] Subject: Re: [FW-1] NG on IPSO 3.4.2 on IP530 As much as I hate posting/replying to this mailing list, because of the deluge of "Out of office" and NDR messages that fill my inbox, I've got something that may be useful regarding your 'second issue' After setting up two HA clusters a couple weeks ago (IP440's, IPSO 3.4.2, NG FP1), I ran into a few issues: 1) According to Nokia T/S, you "must" select "YES" for HA in cpconfig. Supposedly, this setting is what allows sync to work. 2) Regardless of the HA settings in the Security Policy (synchrnoization properties of the gateway cluster object) -- our firewall modules would not sync at all. It wasn't until we used the OLD method -- a sync.conf file and putkeys on each module -- did sync work. We never did bother to try to do things the 'right' way -- it just wasn't worth it, and it seemed that the folks at Nokia didn't know how to set things up correctly, anyway. -Dave -----Original Message----- From: Aeon Hale [mailto:[email protected]] Sent: Friday, March 08, 2002 10:05 AM To: [email protected] Subject: [FW-1] NG on IPSO 3.4.2 on IP530 > what's goin on all. I just finished setting up 2 nokia 530s with HA > running CP NG FP1. Management station is Win2k on Dell. Both > machines work fine, High availability works fine. There are two > things that bother me. The major one is that on the second nokia box > (the secondary) it takes a very long time to push policy. In fact, if > I leave the system status window open, it says its disconnected for a > short time, then connected again after teh policy actually gets to the > box. The other nokia works fine. Also, when I console or telnet to > the second nokia box and just run a FW command like fw stat, it takes > forever. It's definately slower than the NOKIA1. > > Second issue is that it was told that when do a netstat -na i should > see established connections between the link port for the state sync. > But i do not see this. I ran fw tab -t connections -s and the id and > amount of connections is the same so that would tell me that they are > in sync, but the connection doesn't show up in the netstat. When i > run cpconfig, i have an option to start "Checkpoint HA/State > sync"....this is not running. Is it supposed to? I didn't think it > needed to be since i wasn't using checkpoint for HA, but nokia. > Please let me know if i'm doing this wrong. > > Thanks in advance... > > Aeon ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ######################################################################## ############# CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Fuji Securities Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). ######################################################################## ############# ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|