NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HA + LoadBalancing with Foundry switches ?



J.

I've only seen the foundry switches load balance in a demo - I was quite
impressed with the ease of setup and administration and we did a number of
tests, although we didn't do stateful SecuRemote failovers, which is the
scenario you describe.

I have a couple of thoughts.  First, is whether the Foundries are even
needed in your environment.  The IP530 is a relatively powerful unit.  With
VRRP configured (no big deal) you would have a fully redundant solution and
would save yourself the cost of four foundries, which I know are expensive
units.  You should analyze your bandwidth needs and determine whether you
really need to load balance this traffic.  We did this and determined that
we would be fine with just a VRRP High Availability solution.

It sounds to me like you are not properly synchronizing the state tables.
In order to have stateful failover of SecuRemote connections, you need to
properly setup state synchronization between the two nokias.  This is
described in the manual, but basically requires:

        create $FWDIR/conf/sync.conf file
        do fw putkeys between the two firewalls
        setup an NTP server and get the firewalls synching their clocks from the
NTP server.

The NTP server is key - the firewalls' clocks need to be within a few
milliseconds of each other and the only way to do this is via NTP.  If you
do not have an NTP server in your environment, it is entirely feasible to
setup one Nokia as the NTP master, and another as the NTP slave.  (Don't
forget you may need to craft rules to permit your firewalls to talk NTP and
to exchange state (the FW1 service ).

We usually share state with a dedicated crossover cable shared by each
firewall.  By snooping the port, you should see traffic going to and fro on
port 256.  Also, you can print out the number of values in the state table
with:

        fw tab -t connections -s

The last number in the #vals column should be roughly equal on both nokias
if you type this command at the same time.  This tells you that each
firewall has the same number of connections in the state table, therefore
along with snooping port to verify bi-directional communication on port
256, it is confirmation that state synch is working.

Also, for VPN failovers, I believe that you need to setup Checkpoint
"Gateway Clusters".  These are special network objects for gateways where
you combine numerous firewalls into a single cluster object and then use
that object in the "Install On" field of your rulebase.  Then the "cluster
object" appears as an option when you go to push out the rulebase.  Take a
look at the VPN pdf file that comes with checkpoint (or download another
copy from their website).  Take a look at the VPN manual, particularly the
chapter "High Availability for Encrypted Connections".

I hope this helps.

Joel





At 02:40 PM 3/23/02 +0000, you wrote:
>Hi,
>
>Does anybody have any experience with a VPN-1/FW-1 load-balancing solution
>using Foundry ServerIron Layer 4 switches ?
>
>Our FW modules are installed on Nokia IP530s, but VRRP is not in use. HA is
>being handled by the Foundry switches, as is the load-balancing.
>
>Regular services are working fine, and are being failed over correctly when
>one FW goes down. But SecuRemote sessions are set up correctly, but are lost
>when the FW module through which the connection is going goes down. The only
>way to re-establish the tunnel is to restart SecuRemote and start over.
>
>If anybody out there has dealt with a similar scenario and got SR to work
>flawlessly, I'd love to ask him/her some specific questions...!
>
>I look forward to finding somebody who has swam in these waters previously.
>  ;-)
>
>Thanks and regards,
>
>J.
>
>_________________________________________________________________
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.