The Nokia high availability solution relies on
three components -- VRRP, monitored circuit, and state
sychronization.
--VRRP provides IP level failover of a
particular interface.
--Monitored circuit forces VRRP failover for ALL
interfaces besides the one originally affected to avoid asymmetric
routing.
--Synchronization provides state table information
to be passed between firewalls (note that there is a delay here of -- I believe
-- up to 70 ms)
VRRP and Monitored Circuit are IPSO
functions. State Synchronization is a Checkpoint function.
To establish the state synchronization, perform the
following on both boxes. Remember that the ip address used in the
following statements will be the ip address of the OTHER firewalls
interface. It is recommended that the interface be dedicated for the
purposes of synchronization -- although I have seen it work
otherwise.
a few notes:
1. these directions assume that the synchronization
has not been performed.
2. for the commands in vi editor, i use "" to
isolate the characters, do not use them in the config.
3. i use brackets () for explanations
4. <> indicates a value which need be
supplied, do not use the <> when entering
5. a pound mark (#) at the beginning of a line
indicates you are at the command prompt for the nokia ipso.
6. vi <filename> opens a file in the vi
editor if it exists. if the file does not exist it creates an empty file
of same name)
login to nokia firewall as
admin
#cd $FWDIR/conf
#vi sync.conf
"i"
(type a single i to enter "insert" mode while in vi editor)
<ipaddress_of_OTHER_firewall_sync_interface>
"esc"
"esc" (hitting the escape key twice
gets you out of insert mode)
"shft+:"
(enters command mode)
"wq!" (write and quit with an
override (!) although I am not 100% sure it is necessary here)
#fw putkey
<ipaddress_of_OTHER_firewall_sync_interface> (after hitting enter,
you will be prompted for auth key twice)
#fwstop; fwstart
Perform this on both firewalls. Then use the
following to verify various aspects of the configuration.
#cd $FWDIR/conf
#ls
sync.*
(to see if the sync.conf file exists)
#cat
sync.conf (to see what ip address is
listed -- make sure it is for the OTHER firewall)
these commands will verify that the sync.conf file
was created on both boxes.
#netstat -an
this shows the nokia ipso connection table.
look for 2 established connections (on both firewalls) with the two ip addresses
in question and on port 257 (i think). if both connections are being
attempted, but not established, then you probably have to redo your auth
keys. Simpley perform the last two commands on the list above ("fw
putkey", then the "fwstop; fwstart"). This should fix the problem if it is
related to your authentication keys.
***You must make sure your rulebase and
anti-spoofing allows for this communication as well.***
#fw tab (check for the
available options)
you should be able to look at the connection table using the "fw tab"
command (i do not remember all the options) on both boxes and get an idea if
they are similar. under non load balancing configurations, there should be
very few connections on your "backup" nokia.
You will also want to verify that the monitored
circuit is configured correctly or you could be having an asymmetric routing
situation which will also kill the ftp. Check the logs of the backup
firewall and see if your connections are returning to the primary firewall even
after a failover. you can also use the "tcpdump" commands to see traffic
on specific interfaces on the firewalls. do a search on google to find a
website with the "tcpdump" options.
regards and good luck
bill
----- Original Message -----
Sent: Thursday, August 22, 2002 4:47
PM
Subject: [FW-1] Nokia & Checkpoint -
stateful failover?
We've got two Nokia 530 platforms running FW-1
v4.1 in a failover configuration with VRRP.
This is a managed service that we've
outsourced.
Our managed service provider says that the
failover is stateful - all session information is maintained on both
platforms.
In testing we have reason to believe that the
stateful session information is either not current or not being passed; that
failover is non-stateful.
Testing included FTP file transfers which broke
during a failover test...
Our provider mentioned an additional protocol
that is used to pass session state information, as VRRP is not designed for
stateful failover.
Can somebody please point me to a URL or
explain the stateful failover capability of FW-1 v4.1 (prefer an
implementation on Nokia)?
If this configuration can in fact provide a
stateful failover capability, any reason why FTP transfers would fail during a
failover event? If the session info is updated to the alternate platform
from the primary, we would expect to see the transfer continue (maybe a few
TCP retransmissions at most). I saw something about a 50ms SYNC
interval, but I don't believe that would be a problem.
Bonus question: if FW-1 (or Nokia) has its
own protocol for session updates to share state information, why need VRRP to
detect a failure?
Thanks,
-Rob
Patrick
|