Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] backup interface wouldn't keep quite.

To: [email protected]
Subject: Re: [FW-1] backup interface wouldn't keep quite.
From: Mike Lee <[email protected]>
Date: Wed, 15 May 2002 10:24:39 -0700
References: <[email protected]> <016a01c1fab4$0bb3baf0$640110ac@cc247073d> <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011126 Netscape6/6.2.1

all,

assymetrical routing problem caused by vrrp state fluctuation seems to
be fixed by removing the old vrrpid and creating new vrrp id.

maybe i should upgrade the current ipso to 3.3?? i'm running 3.2.1

anyone has the release notes on 3.3??  i do have both images on my nokia
box, but when i chose the 3.3 and rebooted the box, firewall failed to
start.  it's been a while and forgot how to do the IPSO upgrade.  help
please??

Mike

Mike Lee wrote:

I'll try to put both outside interfaces to a same switch and see if the
problem still exists.

it would suck not to enable trunking.

mike

----- Original Message -----

From: BillO <mailto:[email protected]>

    To: [email protected]
    <mailto:[email protected]>

Sent: Monday, May 13, 2002 12:26 PM

Subject: Re: [FW-1] backup interface wouldn't keep quite.


    I have seen various problems with the Cisco switches and
    vrrp/monitored circuit before.  You might want to check the Nokia
    page,but I believe there was a setting like

set port channel "port list" off

this alleviated some issues related to how long convergence took.

    one other thing i can think of is if you are using the same router
    id for more than one nokia interface and using the same switches "on
    different vlans" you may have a mac related problem where the switch
    is getting confused on where to send the packet and either dropping
    it or sending it to the wrong interface.

    you could also look at the vrrp statistics for the various
    interfaces in question and see if you are clocking errors.  maybe
    some of the vrrp packets are getting mangled when they are sent or
    in transit and this happens enough that the backup occasionally
    misses enough packets and will switch to master.

----- Original Message -----

From: Mike Lee <mailto:[email protected]>

        To: [email protected]
        <mailto:[email protected]>

Sent: Monday, May 13, 2002 5:13 AM

Subject: [FW-1] backup interface wouldn't keep quite.

Hi,

        Firewall 4.1, Nokia 440, IPSO 3.2.1-fcs1, running VRRP on
        outside, inside, dmz interfaces.

        Symptom: Regularly, the backup firewall's outside
        interface changes its state to Master, even though Primary is
        functioning fine.  Causing slowness in Internet Access.

        What i find from TCPDUMP is that primary sends VRRP multicast
        message out every 1 second.  What's odd is that every once in a
        while, i see Backup sends out one VRRP message.  This causes
        significant delay in our Internet Access.

        At the firewall side, VRRP config looks identical to the Nokia's
        document on how to setup one.  I do have policies to allow vrrp
        traffics.

        All the interfaces go to pair of Cisco 4000 switches with
        various VLANS.  First 2 ports of the switches are configured
        with VLAN trunking.

        Originally, firewall's inside and dmz interfaces were connected
        to Cisco4000 switch with its own VLAN.  Outside interfaces of
        the firewall were originally connected to Cisco2900 before and
        we moved them to Cisco4000 switch with its own VLAN.

        First I thought it was the switch's VLAN trunking config, but I
        doubt it is that.  If it was the VLAN trunk issue, then i would
        see the same behavior with inside and dmz interfaces too...

any thoughts??

thanks,

Mike


=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] backup interface wouldn't keep quite.
  - From: Mike Lee <[email protected]>
- Re: [FW-1] backup interface wouldn't keep quite.
  - From: BillO <[email protected]>
- Re: [FW-1] backup interface wouldn't keep quite.
  - From: Mike Lee <[email protected]>

Prev by Date: [FW-1] RBL List?
Next by Date: [FW-1] AW: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se rvice port, port XYZ
Previous by thread: Re: [FW-1] backup interface wouldn't keep quite.
Next by thread: [FW-1] ACE/Server v5 with Checkpoint authentication?
Index(es):
- Date
- Thread