Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia

To: [email protected]
Subject: Re: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
From: BillO <[email protected]>
Date: Fri, 31 May 2002 15:37:11 -0400
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> I have a pair of Nokia's running IPSO 3.5 and NG FP2 with VRRPmc and state
> sync.
> I have some queries/problems:
>
> Traffic initiated from the external interface on the secondary firewall
(eg
> dns, ntp) goes out fine but the reply traffic is picked up by the external
> interface (the real ip not the VRRP ip) on the primary firewall and
dropped.
> I don't understand why this is happening.

Most likely your return static route is pointing at the wrong ip address OR
you are NATing traffic using your actual IP address instead of your VRRP
address.

> During a VRRP failover (by me pulling out one of the monitored interface
> cables or halting the primary firewall) I get weird results from
checkpoint.
> ifconfig and vrrp monitor shows the secondary has taken over the
> external/internal/dmz VRRP addresses fine.

make sure the primary does not think it is the primary anymore for any of
theinterfaces.

>  And I can connect directly to
> the firewall vrrp address ok (eg by ssh, and see that I am really
connecting
> to the secondary as expected).
> I'm using proxy arps on the external interface (I know, yuk) and static
NAT
> to the DMZ servers.
> Static routes are defined for the proxy arps on both firewalls.

static routes are not needed on the nokia platform (if I understand and you
are using static NAT with proxy arp MAC addresses and a static route for the
translated address).

> I have some traffic from the internal network allowed out that I am hide
> NATing behind the external VRRP ip.

make sure this is correct on both firewalls.  it may account for some of
your problems.

> I have turned off the auto arp feature in NG in case it was messing things
> up - even though I'm not doing any NAT with a firewall object in the NAT
> policy.
> The external and dmz interfaces are connected to separate hubs, the
internal
> interfaces are connected to a 3Com switch.
> If I pull out the DMZ interface on the primary, failover is fine, the
> internal network traffic that goes out and is NATed behind the external
VRRP
> address keeps working but nothing in the DMZ can talk to the outside.
> And vice-versa if I pull out the internal interface to initiate failover -
> DMZ works but internal net stops.
> Reconnecting the appropriate interface flips the VRRP ips back over to the
> primary and everything works again.
>
if as you say the boxes are reporting that vrrp is working ok and you can
connect to the firewall on the interfaces which are NOT working during the
test, then you should check the firewall configuration.  what about when you
just unplug the other firewall and bring the primary online?  does it work
fine.

nokia supports tcpdump.  try using tcpdump on the interfaces in question.
what may be happening is that the segment which is not working goes out via
the secondary but because of the issue you mentioned in the beginning it is
returning via the primary.  if the state tables are not updated, the
connection will be dropped.  use the tcpdump to see if that is what is
happening.  your logs might help you as well depending upon what you are
logging.

good luck
bill


> During cpstart I get told "HA mode is not defined"
> "fw ctl pstat" shows state sync is working ok so I assume this is to do
with
> load-balancing and is normal for a state sync config?
>
>
>
> Thanks
> Mike
>
> ######################################################################
> CONFIDENTIALITY NOTICE:
> This message and any attachment(s) are confidential and proprietary.
> They may also be privileged or otherwise protected from disclosure.
> If you are not the intended recipient, advise the sender and delete
> this message and any attachment from your system.  If you are not the
> intended recipient, you are not authorised to use or copy this message
> or attachment or disclose the contents to any other person.
> Views expressed are not necessarily endorsed by EMS-Global Limited.
>
> ######################################################################
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
  - From: Mike Hickey <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint NG test exam
Next by Date: Re: [FW-1] SecuRemote Problems
Previous by thread: [FW-1] Weirdness with VRRP/State Sync and NG FP2 on Nokia
Next by thread: [FW-1] Migrating raptor to fw-14.1 and sp5
Index(es):
- Date
- Thread