Re: [FW-1] Nokia ip400 VRRP problems

[Brendan Laws <Blaws@FW1-NOSPAMCONTENTWISE.COM.AU>]

Title: Message

Are you NATing to the servers?

 

if so you may wish to check your static ARPing - make sure you have static ARPed the addresses with the VRRP MAC address and not the MAC of the external firewalls interface. that will cause all kinds of issues with upstream routers seeing different MACs same IP's etc etc etc,

 

This depends on if you are using NAT but your issue sounds very familiar to what i have seen happen before with the above problem.

 

hope it helps

 

Brendan

-----Original Message-----
From: Security Guy [mailto:firewall_security@HOTMAIL.COM]
Sent: Friday, 6 September 2002 7:22 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] Nokia ip400 VRRP problems

Hello

 

Got kind of wired one:

 

*Dual Nokia ip440s, ver 4.1 sp6 setup and working fine with VRRP

*two web websites,  Site 1  xx.x..  Site 2 xx.x.xxx.xx 

Both using the same ISP

 

 

We host two website and over the past week we have had to reboot the primary firewall to regain access to site2.  Site2 isn't fully production (simply a redirect to site 1) but users won't change their *favorites* so the pages stays put!  We have always been able to ping site 1 (Compaq servers) but never site 2 (IBM servers) 

 

The sysadmin on the box swear he isn't filtering ICMP or doing anything else to prevent pings.  In theory if VRRP was working,  traffic to the site should come back as soon as the primary firewall is rebooted or failed over.  This isn't happening, we have forced traffic to the secondary firewall but access to the site remains blocked until the primary is back online (finished rebooting)

 

The firewalls are a mirror image of each other, what are we missing?

 

 

Thanks