NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HA + LoadBalancing with Foundry switches ?



Joel,

Thanks for your ellaborated reply.

I agree with you in the fact that you can get a good HA solution (without
load balancing) for quite less $$$ by just using VRRP. But I'm implementing
this for a large ISP (considerable load - peaks of 120,000 connections in
the state table) which has already acquired the switches and comes from a
bad experience of service affecting problems due to load *without* having HA
setup. So they decided to go for HA *plus* LB...

As for the sync, it is working just fine. We have set up an NTP server (on
the Sun box running as Management Server). Both IP530s plus Sun box have
their clocks sync'ed. Sync networks are defined, Gateway Cluster, etc.
(although being NG, sync.conf is not in use, and sync traffic is exchanged
using port 8116/udp - the NG way is different from v4.1).


All "regular" services are failed-over ok. We carried out stress-testing on the solution, generating load up to 140k simultaneous connections (w/special ad-hoc hardware) and monitored size of the connection tables. We even wrote short shell scripts to monitor specific connections and "fish them out" of the table. Everything's ok.

Except for SecuRemote connections, which are not failed over! But the last
word is not out yet...  ;-) We'll see what comes out of all this.

Thanks again for your suggestions.

Regards,

J.


From: Joel Turoff <[email protected]>
To: [email protected]
CC: [email protected]
Subject: Re: [FW-1] HA + LoadBalancing with Foundry switches ?
Date: Sat, 23 Mar 2002 10:26:32 -0500

J.

I've only seen the foundry switches load balance in a demo - I was quite
impressed with the ease of setup and administration and we did a number of
tests, although we didn't do stateful SecuRemote failovers, which is the
scenario you describe.

I have a couple of thoughts.  First, is whether the Foundries are even
needed in your environment.  The IP530 is a relatively powerful unit.  With
VRRP configured (no big deal) you would have a fully redundant solution and
would save yourself the cost of four foundries, which I know are expensive
units.  You should analyze your bandwidth needs and determine whether you
really need to load balance this traffic.  We did this and determined that
we would be fine with just a VRRP High Availability solution.

It sounds to me like you are not properly synchronizing the state tables.
In order to have stateful failover of SecuRemote connections, you need to
properly setup state synchronization between the two nokias.  This is
described in the manual, but basically requires:

      create $FWDIR/conf/sync.conf file
      do fw putkeys between the two firewalls
      setup an NTP server and get the firewalls synching their clocks from the
NTP server.

The NTP server is key - the firewalls' clocks need to be within a few
milliseconds of each other and the only way to do this is via NTP.  If you
do not have an NTP server in your environment, it is entirely feasible to
setup one Nokia as the NTP master, and another as the NTP slave.  (Don't
forget you may need to craft rules to permit your firewalls to talk NTP and
to exchange state (the FW1 service ).

We usually share state with a dedicated crossover cable shared by each
firewall.  By snooping the port, you should see traffic going to and fro on
port 256.  Also, you can print out the number of values in the state table
with:

fw tab -t connections -s

The last number in the #vals column should be roughly equal on both nokias
if you type this command at the same time.  This tells you that each
firewall has the same number of connections in the state table, therefore
along with snooping port to verify bi-directional communication on port
256, it is confirmation that state synch is working.

Also, for VPN failovers, I believe that you need to setup Checkpoint
"Gateway Clusters".  These are special network objects for gateways where
you combine numerous firewalls into a single cluster object and then use
that object in the "Install On" field of your rulebase.  Then the "cluster
object" appears as an option when you go to push out the rulebase.  Take a
look at the VPN pdf file that comes with checkpoint (or download another
copy from their website).  Take a look at the VPN manual, particularly the
chapter "High Availability for Encrypted Connections".

I hope this helps.

Joel





At 02:40 PM 3/23/02 +0000, you wrote:
>Hi,
>
>Does anybody have any experience with a VPN-1/FW-1 load-balancing
solution
>using Foundry ServerIron Layer 4 switches ?
>
>Our FW modules are installed on Nokia IP530s, but VRRP is not in use. HA
is
>being handled by the Foundry switches, as is the load-balancing.
>
>Regular services are working fine, and are being failed over correctly
when
>one FW goes down. But SecuRemote sessions are set up correctly, but are
lost
>when the FW module through which the connection is going goes down. The
only
>way to re-establish the tunnel is to restart SecuRemote and start over.
>
>If anybody out there has dealt with a similar scenario and got SR to work
>flawlessly, I'd love to ask him/her some specific questions...!
>
>I look forward to finding somebody who has swam in these waters
previously.
>  ;-)
>
>Thanks and regards,
>
>J.
>
>_________________________________________________________________
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.