[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] HA + LoadBalancing with Foundry switches ?
J. I've only seen the foundry switches load balance in a demo - I was quite impressed with the ease of setup and administration and we did a number of tests, although we didn't do stateful SecuRemote failovers, which is the scenario you describe. I have a couple of thoughts. First, is whether the Foundries are even needed in your environment. The IP530 is a relatively powerful unit. With VRRP configured (no big deal) you would have a fully redundant solution and would save yourself the cost of four foundries, which I know are expensive units. You should analyze your bandwidth needs and determine whether you really need to load balance this traffic. We did this and determined that we would be fine with just a VRRP High Availability solution. It sounds to me like you are not properly synchronizing the state tables. In order to have stateful failover of SecuRemote connections, you need to properly setup state synchronization between the two nokias. This is described in the manual, but basically requires: create $FWDIR/conf/sync.conf file do fw putkeys between the two firewalls setup an NTP server and get the firewalls synching their clocks from the NTP server. The NTP server is key - the firewalls' clocks need to be within a few milliseconds of each other and the only way to do this is via NTP. If you do not have an NTP server in your environment, it is entirely feasible to setup one Nokia as the NTP master, and another as the NTP slave. (Don't forget you may need to craft rules to permit your firewalls to talk NTP and to exchange state (the FW1 service ). We usually share state with a dedicated crossover cable shared by each firewall. By snooping the port, you should see traffic going to and fro on port 256. Also, you can print out the number of values in the state table with: fw tab -t connections -s The last number in the #vals column should be roughly equal on both nokias if you type this command at the same time. This tells you that each firewall has the same number of connections in the state table, therefore along with snooping port to verify bi-directional communication on port 256, it is confirmation that state synch is working. Also, for VPN failovers, I believe that you need to setup Checkpoint "Gateway Clusters". These are special network objects for gateways where you combine numerous firewalls into a single cluster object and then use that object in the "Install On" field of your rulebase. Then the "cluster object" appears as an option when you go to push out the rulebase. Take a look at the VPN pdf file that comes with checkpoint (or download another copy from their website). Take a look at the VPN manual, particularly the chapter "High Availability for Encrypted Connections". I hope this helps. Joel At 02:40 PM 3/23/02 +0000, you wrote: >Hi, > >Does anybody have any experience with a VPN-1/FW-1 load-balancing solution >using Foundry ServerIron Layer 4 switches ? > >Our FW modules are installed on Nokia IP530s, but VRRP is not in use. HA is >being handled by the Foundry switches, as is the load-balancing. > >Regular services are working fine, and are being failed over correctly when >one FW goes down. But SecuRemote sessions are set up correctly, but are lost >when the FW module through which the connection is going goes down. The only >way to re-establish the tunnel is to restart SecuRemote and start over. > >If anybody out there has dealt with a similar scenario and got SR to work >flawlessly, I'd love to ask him/her some specific questions...! > >I look forward to finding somebody who has swam in these waters previously. > ;-) > >Thanks and regards, > >J. > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|