NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VRRP MC and CISCO 6509



You need to be a little clearer about where you sniffed and in relation to
what as well as the who, what, and where of the connection which was
attempted during your sniff.  In any case though, you are seeing the return
packet (I assume FROM the firewall) and that is a good thing (unless it is a
connection reset or an ICMP response with a failure code of some sort,
etc.).  If the firewall was having a problem you would not see a return
packet in most cases.

If for instance you see the return packet from the firewall going towards
the Cisco box, but not coming out the other side then you need to check the
routing, the cables, etc. between that point and the endstation (the mgmt
server in this case).  You are obviously changing the configuration of the
box which is moving locations, so doublecheck all those changes and
determine how each other device will be affected as well.

Bypass management stuff also.  Try a ping, telnet, ftp, http connection to
the firewall from the mgmt server AND from another device.  Make sure they
are all allowed connections on the firewall beforehand of course.  Use
tcpdump to determine if traffic is being received AND sent.  It can also
help you determine the mac address, the type of packet, etc., etc.  I would
also check the ip configuration of  the management station, the Nokia box,
and the intervening routers.  If any one configuration is wrong, traffic may
get to the far end and be returned down the "wrong" -- or is that the
"right" path ;~)  Depending on what does and does not work you can fine tune
your troubleshooting.

BTW, my understanding of both vrrp and hsrp is that when the router is
sending traffic it uses its real MAC and not the virtual one.  I believe I
came across an exception to that once, but for the life of me I can not
remember what it was.

good luck
----- Original Message -----
From: "Roland Rosenbach" <[email protected]>
To: <[email protected]>
Sent: Tuesday, October 15, 2002 9:53 PM
Subject: Re: [FW-1] VRRP MC and CISCO 6509


> Ummm... My apologies..
> I changed topic mid post and there has been some confusion..
>
> To clarify..
>
> The assymetric routing type issue is in relation to a single
> firewall being on one side of a pair (actually trio but the
> concept should be the same) of Cisco 6509's running HSRP and
> the management console on the other side of the 6509's.
>
>                        [6509 #1]
>    mgt console <-----> [6509 #2]  <------>  firewall
>                        [6509 #3]
>
> **When the firewall is seperated from the management console
> by the 6509's running HSRP then NO GO... cannot manage.
>
> **When the firewall is on the same side as the management
> console then all ok and can push policy and manage firewall..
>
> Or slightly differently -
> **When when the FWGUI is seperated from the management console
> by the 6509's running HSRP and the firewall is not seperated
> then ALL OK..
>
> but
> **If both the FWGUI and the firewall is seperated from the
> management console by the 6509's running HSRP the all NOT OK...
>
>
>    mgt console <----->  [6509 #1]  <------>  PC with FW Gui
>                         [6509 #2]
>    firewall on this <-> [6509 #3]  <-> Firewall on this not ok
>    side all ok
>
> I have sniffed the packets and the mac address of the packet
> leaving the subnet goes to the virtual HSRP address (x.x.x.1)
> whilst the return packet has a mac address of the physical
> address of one of the 6509s (x.x.x.2 or .3 or .4) not the
> HSRP address of x.x.x.1.
>
> Again at this I am only suspecting this to be the cause as
> from my current understanding that this behaviour is in-fact
> how HSRP is supposed to operate (but perhaps FW1 is getting
> upset with it).
>
> Hope this clarifys and someone has experienced this before.
>
> Regards
> Roland
>
>
>
> -----Original Message-----
> From: Mellor, Derin [mailto:[email protected]]
> Sent: Tuesday, October 15, 2002 6:42 PM
> To: [email protected]
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
>
> Could this problem be because the interface associated with the firewall
> management is external? (view following in courier):
>
>              ------------------------------10.1.1.0/24
>                   |                  |
>                   .1                 .2
>               [  s1p1  ]        [  s1p1  ]
>       Master->[  FW-A  ]--sync--[  FW-B  ]
>               [  s1p2  ]        [  s1p2  ]
>                  .254               .253
>               ____|__________________|_____192.168.1.0/24
>                           |
>                        [CP Mng] gw=.254
>
> Assuming the licenses are tied to the external interfaces (FW-A s1p1:
> 10.1.1.1, FW-B s1p1: 10.1.1.2).
> When CP-Mng attempt to communicate with the firewall management
> interfaces (i.e. their external interfaces) all the traffic will go via
> the Master firewall, in this case FW-A. Managing FW-A will be fine, but
> if you have AntiSpoofing correctly configured FW-B will fail.
> The problem is that CP-Mng will use its default gateway (192.168.1.254),
> this will forward the traffic on to 10.1.1.0/24 network, and will be
> received by FW-B on s1p1 10.1.1.2 - this is all correct.
> BUT, the source IP address (i.e. CP-Mng) should not appear coming into
> this interface - Spoofed packet!!!
> To get round this add an explicit static route pointing at 10.1.1.2 via
> 192.168.1.253 into CP-Mng (or the last router before FW-B) - hence the
> CP-Mng traffic to FW-B will go direct to FW-B.
>
> Regards Derin
>
> -----Original Message-----
> From: Bill [mailto:[email protected]]
> Sent: 15 October 2002 03:21
> To: [email protected]
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
>
> Hi Roland,
>
> In the cases where I worked this angle (mostly in 4.1 and one case in NG
> FP2) I had no problems.  In some cases they had to turn off stp, which
> was unnecessary anyway.
>
> I am not sure your theory is correct about the MACs -- although it is
> too early to rule it out.  Have you checked the basics on ALL devices
> concerned (firewalls, routers, mgmt station, etc.) -- cable, speed,
> duplex, port, vlan assignments, ip address and subnet, routing, etc.,
> etc.  Try connectivity between the firewall and the router, between the
> firewall and the other devices behind the router, etc.  Where possible
> sniff the traffic using tcpdump on the nokias and whatever other
> sniffing utilities you have.
>
> Bill
>
>
> ----- Original Message -----
> From: "Roland Rosenbach" <[email protected]>
> To: <[email protected]>
> Sent: Monday, October 14, 2002 8:37 PM
> Subject: Re: [FW-1] VRRP MC and CISCO 6509
>
>
> > Excellent. Thanks for you reply Jussi.
> >
> > Were either of them dualed and running HSRP?
> >
> > I'm having an issue at the moment with not being able to manage a test
>
> > firewall if I place it on the other side of a pair of 6509's. NB - If
> > I place it on the same side of the 6509's as the management console
> > all is ok and can push policys.
> >
> > I suspect it has something to do with packets leaving the subnet
> > having a MAC address of the HSRP address x.x.x.1 (the machines default
> > gateway) but return packets come back with the physical MAC of the
> > 6509 x.x.x.2 or x.x.x.3 and (not the virtual HSRP MAC it left on).
> >
> > Not exactly assymetric routing but similar issue.
> >
> > Anyone come across this before?
> >
> > Regards
> > Roland
> >
> > -----Original Message-----
> > From: Ketola Jussi [mailto:[email protected]]
> > Sent: Monday, October 14, 2002 5:03 PM
> > To: [email protected]
> > Subject: Re: [FW-1] VRRP MC and CISCO 6509
> >
> >
> > Hi,
> >
> > We have done just that with CP 4.1, NG FP1 and NG FP2. It worked with
> > all those versions. We have our IP440's between C6509 and C6506, and
> > both realize what's happening when we boot one of our IP440s
> >
> > Jussi Ketola
> >
> > -----Original Message-----
> > From: Roland Rosenbach [mailto:[email protected]]
> > Sent: 7. lokakuuta 2002 18:06
> > To: [email protected]
> > Subject: Re: [FW-1] VRRP MC and CISCO 6509
> >
> > Hiya all,
> >
> > Thanks for the replies.
> >
> > I forgot to mention I will initially be deploying on V4.1 before
> > upgrade to NG FP2or3.
> >
> > So just to clarify...Were the successes on V4.1 or NG FPX? (thinking
> > maybe NG might have fixed the issues)
> >
> > Regards
> > Roland
> >
> > -----Original Message-----
> > From: Bill [mailto:[email protected]]
> > Sent: Saturday, October 05, 2002 1:33 AM
> > To: [email protected]
> > Subject: Re: [FW-1] VRRP MC and CISCO 6509
> >
> >
> > I have successfully done it a few times.  Turning off stp worked in
> > the cases where it was even needed.  Tested failover and recovery in
> > all cases and it worked fine.  No other changes were necessary in the
> > environments.
> > ----- Original Message -----
> > From: "Roland Rosenbach" <[email protected]>
> > To: <[email protected]>
> > Sent: Thursday, October 03, 2002 7:14 AM
> > Subject: [FW-1] VRRP MC and CISCO 6509
> >
> >
> > > Hi all,
> > >
> > > Has anyone succesfully run VRRP MC on a pair of Nokia's with one
> interface
> > > on
> > > each firewall patched directly into a Cisco 6509?
> > >
> > > I know that Nokia say that you need to disable STP or at least
> > > enable portfast on the ports and that there are issues with MAC
> > > caching but has any body SUCCESSFULLY done it?
> > >
> > > Searching through the lists I have seen a couple people talk about
> > firewall
> > > core
> > > dumps when they reduced the MAC caches to 1. Has anybody had good
> > > experiences with reducing MAC cache timeout or turning off MAC
> > > caching altogether?
> > >
> > > Really appreciate anybodys feedback as am not comfortable with
> > > deploying
> > HA
> > > directly into a 6509 and adding a hub to get around it is really
> > > just another single point of failure.
> > >
> > > Regards
> > > Roland Rosenbach
> > >
> > >
> > >
> > >
> > > ********************************************************************
> > > **
> > >
> > > CONFIDENTIAL COMMUNICATION
> > > This e-mail and any files transmitted with it is intended solely for
>
> > > the
> > use of the
> > > individual or entity to whom it is addressed. If you are not the
> intended
> > recipient,
> > > or the person responsible for delivering the e-mail to the intended
> > recipient, please
> > > immediately notify the sender by e-mail and delete the original
> > transmission and its
> > > contents. Any use, dissemination, forwarding, printing, or copying
> > > of
> this
> > e-mail and
> > > any file attachments is prohibited.
> > >
> > > ********************************************************************
> > > **
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to [email protected]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your subscription
> > > options, email [email protected]
> > > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
> <FONT
>
SIZE=1>*********************************************************************
> *
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately and then delete from your system.
>
> This footnote also confirms that this email message has been swept
> for the presence of known computer viruses.
>
>
**********************************************************************</FONT
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.