[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] NG FP3 and Nokia IPSO 3.5 vrrp problem
- To: [email protected]
- Subject: Re: [FW-1] NG FP3 and Nokia IPSO 3.5 vrrp problem
- From: "Mellor, Derin" <[email protected]>
- Date: Mon, 25 Nov 2002 16:32:10 -0000
- Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-Index: AcKRc9kJFAPpj6aKTxugRGgo+KVzNAAlOFagAJ7BaYAAAdCh/AAFDDUQ
- Thread-Topic: Re: [FW-1] NG FP3 and Nokia IPSO 3.5 vrrp problem
Thomas,
As you have already indicated - unloading the security policy solves the problem, so this is CP doing something. tcpdump intercepts packets before CP gets its hands on it.
As I stated earlier, you must have enabled 'Enable connections to VRRP IP'?
You could try and track it down with 'fw monitor' command...
What AntiSpoofing have you enabled?
Otherwise I am at a loss, I have never experienced this problem (mind you I have only occasionally enabled the connections to the VRRP IP).
It might make sense to disable the Enable connections to VRRP IP and see whether it makes connecting to the Real IP address stable.
Derin
-----Original Message-----
From: Thomas L�thi [mailto:[email protected]]
Sent: 25 November 2002 14:12
To: [email protected]
Subject: Re: [FW-1] NG FP3 and Nokia IPSO 3.5 vrrp problem
Hi
To set the fw_allow_unknown_if flag does not solve the problem.
The following shows a ping to the nokia box. x.x.x.174 is the VRRP virtual IP and x.x.x.173 is the real ip of the interface. The nokia box does not send an ping response from the real ip if I have pinged the virtual IP before.
C:\>ping x.x.x.174
Response from x.x.x.174: Bytes=32 Time=10ms TTL=255
C:\>ping x.x.x.173
Timeout.
C:\>arp -a
Internetadresse Physikal. Adresse Typ
x.x.x.173 00-a0-8e-32-fc-6c dynamisch
x.x.x.174 00-00-5e-00-01-0a dynamisch
If I look at the firewall logfile I see both ICMP requests accepted by the firewall.
Maybe the problem is in the firewall topology configuration:
cluster topology: all vrrp IPs of the cluster
member topology: real ips of the nokias
Any ideas?
Thomas
-----Urspr�ngliche Nachricht-----
Von: Thomas L�thi
Gesendet: Mo 25.11.2002 14:24
An: [email protected]
Cc:
Betreff: Re: [FW-1] NG FP3 and Nokia IPSO 3.5 vrrp problem
It seems to be an checkpoint problem. If I disable the local policy I can connect to the virtual and the real ip.
MAC addresses are corecct, I can connect to the virtual ip AND the real ip.
After applaying my policy, VRRP is still working correct. It is possible to ping the real ip. If I want to send a ping to the virtual ip the nokia box does not send an icmp response. I see the accept of the icmp requst in the FW logfile.
The same behaviour the other way round if I wait for some minutes and ping the real ip first.
Do I have to set the fw_allow_unknown_if flag in fwmod.o with modzap for connections to the vrrp address?
Thanks for your response
Thomas
-----Urspr�ngliche Nachricht-----
Von: Mellor, Derin [mailto:[email protected]]
Gesendet: Fr 22.11.2002 11:22
An: [email protected]
Cc:
Betreff: Re: [FW-1] NG FP2 and Nokia IPSO 3.5 arp problem
I'm a bit confused by this. Assuming you are running VRRP/MC, by default the VIP does not respond to any requests except ARP Req. This can be changed by enabling the 'Accept Connections to VRRP Ips' within Voyager (or Lynx).
The real address should respond happily.
I would check your MAC addresses are correct.
On the FW using: ifconfig -au
This will show all the configured interfaces. The VMAC normally start: 0:0:5e:0:1:xx
Where xx is determined by the virtual router ID.
Could the ICMP Req to the real IP be dropped by the firewall?
If this is a test firewall, unload the security policy: fw unloadlocal
(this command has changed many time this is what I recall - CP 4.1: fw unload local, CP NG: fw unload localhost, CP NGFP2: fw unloadlocal)
Ipso should go into blocking, this is shown by: ipsofwd list
If you want it to be forwarding issue: ipsofwd on me
Monitor the ping using tcpdump: tcpdump -ieth-s1p1 host a.b.c.d
Where eth-s1p1 is the interface you expect to see the icmp come in on and a.b.c.d is the PC initiating the ping.
To get extra details on MAC addresses add the -e before the -i.
Hopefully this should help you track down what is going on.
Good luck
Derin
-----Original Message-----
From: Thomas L�thi [mailto:[email protected]]
Sent: 21 November 2002 15:37
To: [email protected]
Subject: [FW-1] NG FP2 and Nokia IPSO 3.5 arp problem
Hello
We have 2 nokia IP530, IPSO 3.5-FCS8 and checkpoint NG FP3. VRRPmc are configured on every interface with a different VRID and connections to the VRRP IPs are enabled in voyager configuration. VRRP is working correctly as i can see with 'iclid show vrrp'. We have 5 masters on machine A and 5 backups on machine B. If I disable one interaface on A, we have 4 backups on A and 5 masters on B. This seems to work correctly
The problem is that I am not able to ping the interface ip when I have pinged the virtual IP before:
Ping to virtual ip -> works
Ping to real ip -> not response
But I receive a arp response for the real ip!
I can delete the arp cache on both machines (nokia and my pc) and try to access the real ip first:
Ping to real ip -> works
Ping to virtual ip -> no response
That means I am not able to access the real ip on the master if I have accessed the virtual ip before. Is this a known bug? Is there any solution for that? Are there any known problems with NGFP3 and IPSO 3.5?
Thanks Thomas
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================
<FONT SIZE=1>**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
**********************************************************************</FONT>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================