NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NG on IPSO 3.4.2 on IP530



The first thing that comes to mind is that you have a license compatibility
issue.  If, for example, you have an 100 IP address license on the box which
is responding normally and a 25 IP address license on the "slow" box but are
protecting 50 addresses behind the two of them then the "slow" box will
constantly be spewing license violation messages to syslog (usually on the
console) and the box will crawl.

There was actually a proposed DoS attack of this manner a year or so ago for
ANY less than unlimited license.

I suppose you could also have the incorrect interface listed in
$FWDIR/conf/external.if.  Type "dmesg" at the Nokia command prompt and see
if FW-1 is spewing about license violations.

Chris

-----Original Message-----
From: Aeon Hale [mailto:[email protected]]
Sent: Monday, March 11, 2002 11:16 AM
To: [email protected]
Subject: Re: [FW-1] NG on IPSO 3.4.2 on IP530


I'm kinda of confused.  This nokia box that i'm having issues with seems
to be acting "slow".  Even if I do something as simple as typing "fw"
which should bring up a list of switches for the fw command, it will
hang for at least 3-5 minutes before showing the switches.  Could this
be a problem or could this be caused by something else?  The other Nokia
box is running perfect, but this one is giving me grief.  Any help would
be appreciated.

Thanks,

Aeon

-----Original Message-----
From: Grabowski, David [mailto:[email protected]]
Sent: Friday, March 08, 2002 2:42 PM
To: [email protected]
Subject: Re: [FW-1] NG on IPSO 3.4.2 on IP530


As much as I hate posting/replying to this mailing list, because of the
deluge of "Out of office" and NDR messages that fill my inbox, I've got
something that may be useful regarding your 'second issue'

After setting up two HA clusters a couple weeks ago (IP440's, IPSO
3.4.2, NG FP1), I ran into a few issues:

1) According to Nokia T/S, you "must" select "YES" for HA in cpconfig.
Supposedly, this setting is what allows sync to work.
2) Regardless of the HA settings in the Security Policy (synchrnoization
properties of the gateway cluster object) -- our firewall modules would
not sync at all. It wasn't until we used the OLD method -- a sync.conf
file and putkeys on each module -- did sync work.

We never did bother to try to do things the 'right' way -- it just
wasn't worth it, and it seemed that the folks at Nokia didn't know how
to set things up correctly, anyway.

-Dave

-----Original Message-----
From: Aeon Hale [mailto:[email protected]]
Sent: Friday, March 08, 2002 10:05 AM
To: [email protected]
Subject: [FW-1] NG on IPSO 3.4.2 on IP530


> what's goin on all.  I just finished setting up 2 nokia 530s with HA
> running CP NG FP1.  Management station is Win2k on Dell.  Both
> machines work fine, High availability works fine.  There are two
> things that bother me.  The major one is that on the second nokia box
> (the secondary) it takes a very long time to push policy.  In fact, if
> I leave the system status window open, it says its disconnected for a
> short time, then connected again after teh policy actually gets to the
> box.  The other nokia works fine.  Also, when I console or telnet to
> the second nokia box and just run a FW command like fw stat, it takes
> forever.  It's definately slower than the NOKIA1.
>
> Second issue is that it was told that when do a netstat -na i should
> see established connections between the link port for the state sync.
> But i do not see this.  I ran fw tab -t connections -s and the id and
> amount of connections is the same so that would tell me that they are
> in sync, but the connection doesn't show up in the netstat.  When i
> run cpconfig, i have an option to start "Checkpoint HA/State
> sync"....this is not running.  Is it supposed to?  I didn't think it
> needed to be since i wasn't using checkpoint for HA, but nokia.
> Please let me know if i'm doing this wrong.
>
> Thanks in advance...
>
> Aeon

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
########################################################################
#############
CONFIDENTIAL: This e-mail, including its contents and attachments, if
any, are confidential. It is neither an offer to buy or sell, nor a
solicitation of an offer to buy or sell, any securities or any related
financial instruments mentioned in it. If you are not the named
recipient please notify the sender and immediately delete it. You may
not disseminate, distribute, or forward this e-mail message or disclose
its contents to anybody else. Unless otherwise indicated, copyright and
any other intellectual property rights in its contents are the sole
property of Fuji Securities Inc.
     E-mail transmission cannot be guaranteed to be secure or
error-free. The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a
result of e-mail transmission.  If verification is required please
request a hard-copy version.
     Although we routinely screen for viruses, addressees should check
this e-mail and any attachments for viruses. We make no representation
or warranty as to the absence of viruses in this e-mail or any
attachments. Please note that to ensure regulatory compliance and for
the protection of our customers and business, we may monitor and read
e-mails sent to and from our server(s).
########################################################################
#############

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.