Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia

To: [email protected]
Subject: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
From: Mike Hickey <[email protected]>
Date: Sat, 1 Jun 2002 06:21:03 +1200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I have a pair of Nokia's running IPSO 3.5 and NG FP2 with VRRPmc and state
sync.
I have some queries/problems:

Traffic initiated from the external interface on the secondary firewall (eg
dns, ntp) goes out fine but the reply traffic is picked up by the external
interface (the real ip not the VRRP ip) on the primary firewall and dropped.
I don't understand why this is happening.


During a VRRP failover (by me pulling out one of the monitored interface
cables or halting the primary firewall) I get weird results from checkpoint.
ifconfig and vrrp monitor shows the secondary has taken over the
external/internal/dmz VRRP addresses fine.  And I can connect directly to
the firewall vrrp address ok (eg by ssh, and see that I am really connecting
to the secondary as expected).
I'm using proxy arps on the external interface (I know, yuk) and static NAT
to the DMZ servers.
Static routes are defined for the proxy arps on both firewalls.
I have some traffic from the internal network allowed out that I am hide
NATing behind the external VRRP ip.
I have turned off the auto arp feature in NG in case it was messing things
up - even though I'm not doing any NAT with a firewall object in the NAT
policy.
The external and dmz interfaces are connected to separate hubs, the internal
interfaces are connected to a 3Com switch.
If I pull out the DMZ interface on the primary, failover is fine, the
internal network traffic that goes out and is NATed behind the external VRRP
address keeps working but nothing in the DMZ can talk to the outside.
And vice-versa if I pull out the internal interface to initiate failover -
DMZ works but internal net stops.
Reconnecting the appropriate interface flips the VRRP ips back over to the
primary and everything works again.


During cpstart I get told "HA mode is not defined"
"fw ctl pstat" shows state sync is working ok so I assume this is to do with
load-balancing and is normal for a state sync config?



Thanks
Mike

######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure.
If you are not the intended recipient, advise the sender and delete
this message and any attachment from your system.  If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person.
Views expressed are not necessarily endorsed by EMS-Global Limited.

######################################################################

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
  - From: BillO <[email protected]>

Prev by Date: Re: [FW-1] VPN problem
Next by Date: [FW-1] Migrating raptor to fw-14.1 and sp5
Previous by thread: Re: [FW-1] VPN And NAT
Next by thread: Re: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
Index(es):
- Date
- Thread