| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] VRRP MC and CISCO 6509
Ummm... My apologies..
I changed topic mid post and there has been some confusion..
To clarify..
The assymetric routing type issue is in relation to a single
firewall being on one side of a pair (actually trio but the
concept should be the same) of Cisco 6509's running HSRP and
the management console on the other side of the 6509's.
[6509 #1]
mgt console <-----> [6509 #2] <------> firewall
[6509 #3]
**When the firewall is seperated from the management console
by the 6509's running HSRP then NO GO... cannot manage.
**When the firewall is on the same side as the management
console then all ok and can push policy and manage firewall..
Or slightly differently -
**When when the FWGUI is seperated from the management console
by the 6509's running HSRP and the firewall is not seperated
then ALL OK..
but
**If both the FWGUI and the firewall is seperated from the
management console by the 6509's running HSRP the all NOT OK...
mgt console <-----> [6509 #1] <------> PC with FW Gui
[6509 #2]
firewall on this <-> [6509 #3] <-> Firewall on this not ok
side all ok
I have sniffed the packets and the mac address of the packet
leaving the subnet goes to the virtual HSRP address (x.x.x.1)
whilst the return packet has a mac address of the physical
address of one of the 6509s (x.x.x.2 or .3 or .4) not the
HSRP address of x.x.x.1.
Again at this I am only suspecting this to be the cause as
from my current understanding that this behaviour is in-fact
how HSRP is supposed to operate (but perhaps FW1 is getting
upset with it).
Hope this clarifys and someone has experienced this before.
Regards
Roland
-----Original Message-----
From: Mellor, Derin [mailto:[email protected]]
Sent: Tuesday, October 15, 2002 6:42 PM
To: [email protected]
Subject: Re: [FW-1] VRRP MC and CISCO 6509
Could this problem be because the interface associated with the firewall
management is external? (view following in courier):
------------------------------10.1.1.0/24
| |
.1 .2
[ s1p1 ] [ s1p1 ]
Master->[ FW-A ]--sync--[ FW-B ]
[ s1p2 ] [ s1p2 ]
.254 .253
____|__________________|_____192.168.1.0/24
|
[CP Mng] gw=.254
Assuming the licenses are tied to the external interfaces (FW-A s1p1:
10.1.1.1, FW-B s1p1: 10.1.1.2).
When CP-Mng attempt to communicate with the firewall management
interfaces (i.e. their external interfaces) all the traffic will go via
the Master firewall, in this case FW-A. Managing FW-A will be fine, but
if you have AntiSpoofing correctly configured FW-B will fail.
The problem is that CP-Mng will use its default gateway (192.168.1.254),
this will forward the traffic on to 10.1.1.0/24 network, and will be
received by FW-B on s1p1 10.1.1.2 - this is all correct.
BUT, the source IP address (i.e. CP-Mng) should not appear coming into
this interface - Spoofed packet!!!
To get round this add an explicit static route pointing at 10.1.1.2 via
192.168.1.253 into CP-Mng (or the last router before FW-B) - hence the
CP-Mng traffic to FW-B will go direct to FW-B.
Regards Derin
-----Original Message-----
From: Bill [mailto:[email protected]]
Sent: 15 October 2002 03:21
To: [email protected]
Subject: Re: [FW-1] VRRP MC and CISCO 6509
Hi Roland,
In the cases where I worked this angle (mostly in 4.1 and one case in NG
FP2) I had no problems. In some cases they had to turn off stp, which
was unnecessary anyway.
I am not sure your theory is correct about the MACs -- although it is
too early to rule it out. Have you checked the basics on ALL devices
concerned (firewalls, routers, mgmt station, etc.) -- cable, speed,
duplex, port, vlan assignments, ip address and subnet, routing, etc.,
etc. Try connectivity between the firewall and the router, between the
firewall and the other devices behind the router, etc. Where possible
sniff the traffic using tcpdump on the nokias and whatever other
sniffing utilities you have.
Bill
----- Original Message -----
From: "Roland Rosenbach" <[email protected]>
To: <[email protected]>
Sent: Monday, October 14, 2002 8:37 PM
Subject: Re: [FW-1] VRRP MC and CISCO 6509
> Excellent. Thanks for you reply Jussi.
>
> Were either of them dualed and running HSRP?
>
> I'm having an issue at the moment with not being able to manage a test
> firewall if I place it on the other side of a pair of 6509's. NB - If
> I place it on the same side of the 6509's as the management console
> all is ok and can push policys.
>
> I suspect it has something to do with packets leaving the subnet
> having a MAC address of the HSRP address x.x.x.1 (the machines default
> gateway) but return packets come back with the physical MAC of the
> 6509 x.x.x.2 or x.x.x.3 and (not the virtual HSRP MAC it left on).
>
> Not exactly assymetric routing but similar issue.
>
> Anyone come across this before?
>
> Regards
> Roland
>
> -----Original Message-----
> From: Ketola Jussi [mailto:[email protected]]
> Sent: Monday, October 14, 2002 5:03 PM
> To: [email protected]
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
>
> Hi,
>
> We have done just that with CP 4.1, NG FP1 and NG FP2. It worked with
> all those versions. We have our IP440's between C6509 and C6506, and
> both realize what's happening when we boot one of our IP440s
>
> Jussi Ketola
>
> -----Original Message-----
> From: Roland Rosenbach [mailto:[email protected]]
> Sent: 7. lokakuuta 2002 18:06
> To: [email protected]
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
> Hiya all,
>
> Thanks for the replies.
>
> I forgot to mention I will initially be deploying on V4.1 before
> upgrade to NG FP2or3.
>
> So just to clarify...Were the successes on V4.1 or NG FPX? (thinking
> maybe NG might have fixed the issues)
>
> Regards
> Roland
>
> -----Original Message-----
> From: Bill [mailto:[email protected]]
> Sent: Saturday, October 05, 2002 1:33 AM
> To: [email protected]
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
>
> I have successfully done it a few times. Turning off stp worked in
> the cases where it was even needed. Tested failover and recovery in
> all cases and it worked fine. No other changes were necessary in the
> environments.
> ----- Original Message -----
> From: "Roland Rosenbach" <[email protected]>
> To: <[email protected]>
> Sent: Thursday, October 03, 2002 7:14 AM
> Subject: [FW-1] VRRP MC and CISCO 6509
>
>
> > Hi all,
> >
> > Has anyone succesfully run VRRP MC on a pair of Nokia's with one
interface
> > on
> > each firewall patched directly into a Cisco 6509?
> >
> > I know that Nokia say that you need to disable STP or at least
> > enable portfast on the ports and that there are issues with MAC
> > caching but has any body SUCCESSFULLY done it?
> >
> > Searching through the lists I have seen a couple people talk about
> firewall
> > core
> > dumps when they reduced the MAC caches to 1. Has anybody had good
> > experiences with reducing MAC cache timeout or turning off MAC
> > caching altogether?
> >
> > Really appreciate anybodys feedback as am not comfortable with
> > deploying
> HA
> > directly into a 6509 and adding a hub to get around it is really
> > just another single point of failure.
> >
> > Regards
> > Roland Rosenbach
> >
> >
> >
> >
> > ********************************************************************
> > **
> >
> > CONFIDENTIAL COMMUNICATION
> > This e-mail and any files transmitted with it is intended solely for
> > the
> use of the
> > individual or entity to whom it is addressed. If you are not the
intended
> recipient,
> > or the person responsible for delivering the e-mail to the intended
> recipient, please
> > immediately notify the sender by e-mail and delete the original
> transmission and its
> > contents. Any use, dissemination, forwarding, printing, or copying
> > of
this
> e-mail and
> > any file attachments is prohibited.
> >
> > ********************************************************************
> > **
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription
> > options, email [email protected]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
<FONT
SIZE=1>*********************************************************************
*
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
**********************************************************************</FONT
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
