Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nokia & Checkpoint - stateful failover?

To: [email protected]
Subject: Re: [FW-1] Nokia & Checkpoint - stateful failover?
From: Bill <[email protected]>
Date: Thu, 22 Aug 2002 21:32:57 -0400
References: <00fa01c24a1d$15353230$ca01a8c0@america>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

The Nokia high availability solution relies on three components -- VRRP, monitored circuit, and state sychronization.

--VRRP provides IP level failover of a particular interface.

--Monitored circuit forces VRRP failover for ALL interfaces besides the one originally affected to avoid asymmetric routing.

--Synchronization provides state table information to be passed between firewalls (note that there is a delay here of -- I believe -- up to 70 ms)

VRRP and Monitored Circuit are IPSO functions. State Synchronization is a Checkpoint function.

To establish the state synchronization, perform the following on both boxes. Remember that the ip address used in the following statements will be the ip address of the OTHER firewalls interface. It is recommended that the interface be dedicated for the purposes of synchronization -- although I have seen it work otherwise.

a few notes:

1. these directions assume that the synchronization has not been performed.

2. for the commands in vi editor, i use "" to isolate the characters, do not use them in the config.

3. i use brackets () for explanations

4. <> indicates a value which need be supplied, do not use the <> when entering

5. a pound mark (#) at the beginning of a line indicates you are at the command prompt for the nokia ipso.

6. vi <filename> opens a file in the vi editor if it exists. if the file does not exist it creates an empty file of same name)

#cd $FWDIR/conf

#vi sync.conf

"i" (type a single i to enter "insert" mode while in vi editor)

<ipaddress_of_OTHER_firewall_sync_interface>

"esc"

"esc" (hitting the escape key twice gets you out of insert mode)

"shft+:" (enters command mode)

"wq!" (write and quit with an override (!) although I am not 100% sure it is necessary here)

#fw putkey <ipaddress_of_OTHER_firewall_sync_interface> (after hitting enter, you will be prompted for auth key twice)

#fwstop; fwstart

Perform this on both firewalls. Then use the following to verify various aspects of the configuration.

#cd $FWDIR/conf

#ls sync.* (to see if the sync.conf file exists)

#cat sync.conf (to see what ip address is listed -- make sure it is for the OTHER firewall)

these commands will verify that the sync.conf file was created on both boxes.

#netstat -an

this shows the nokia ipso connection table. look for 2 established connections (on both firewalls) with the two ip addresses in question and on port 257 (i think). if both connections are being attempted, but not established, then you probably have to redo your auth keys. Simpley perform the last two commands on the list above ("fw putkey", then the "fwstop; fwstart"). This should fix the problem if it is related to your authentication keys.

***You must make sure your rulebase and anti-spoofing allows for this communication as well.***

#fw tab (check for the available options)

you should be able to look at the connection table using the "fw tab" command (i do not remember all the options) on both boxes and get an idea if they are similar. under non load balancing configurations, there should be very few connections on your "backup" nokia.

You will also want to verify that the monitored circuit is configured correctly or you could be having an asymmetric routing situation which will also kill the ftp. Check the logs of the backup firewall and see if your connections are returning to the primary firewall even after a failover. you can also use the "tcpdump" commands to see traffic on specific interfaces on the firewalls. do a search on google to find a website with the "tcpdump" options.

regards and good luck

bill

----- Original Message -----

From: Rob Patrick

To: [email protected]

Sent: Thursday, August 22, 2002 4:47 PM

Subject: [FW-1] Nokia & Checkpoint - stateful failover?

We've got two Nokia 530 platforms running FW-1 v4.1 in a failover configuration with VRRP.

This is a managed service that we've outsourced.

Our managed service provider says that the failover is stateful - all session information is maintained on both platforms.

In testing we have reason to believe that the stateful session information is either not current or not being passed; that failover is non-stateful.

Testing included FTP file transfers which broke during a failover test...

Our provider mentioned an additional protocol that is used to pass session state information, as VRRP is not designed for stateful failover.

Can somebody please point me to a URL or explain the stateful failover capability of FW-1 v4.1 (prefer an implementation on Nokia)?

If this configuration can in fact provide a stateful failover capability, any reason why FTP transfers would fail during a failover event? If the session info is updated to the alternate platform from the primary, we would expect to see the transfer continue (maybe a few TCP retransmissions at most). I saw something about a 50ms SYNC interval, but I don't believe that would be a problem.

Bonus question: if FW-1 (or Nokia) has its own protocol for session updates to share state information, why need VRRP to detect a failure?

Thanks,

-Rob Patrick

References:
- [FW-1] Nokia & Checkpoint - stateful failover?
  - From: Rob Patrick <[email protected]>

Prev by Date: Re: [FW-1] How to make a rule to allow telnet to the firewall?(Thanks)
Next by Date: Re: [FW-1] Outlook hangs through SecuRemote
Previous by thread: [FW-1] Nokia & Checkpoint - stateful failover?
Next by thread: [FW-1] VPN help very urgent
Index(es):
- Date
- Thread