|
On Ciscos try set port host
Derin
-----Original Message-----
From: Alan Yeow
[mailto:[email protected]]
Sent: Wed 18/12/2002 01:27
To: [email protected]
Cc:
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
Mell,
Yah, used NTP to sync both fw.
Time diff is approx 1 - 10 milisecs.
Not sure if it has to do with STP. Seems like
STP
is not recommended in Vrrps but our cust
requires
STP. Enabled portfast and did some tuning on
STP
configs but still didnt help.
Wonder if anyone outthere with VRRP config on
Nokia
faces this prob?
ay
----- Original Message -----
Sent: Tuesday, December 17, 2002 5:55
PM
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
Ay,
Have you checked that both the firewalls
times are very close - within 10s of each other?
Derin
-----Original Message-----
From: Alan Yeow
[mailto:[email protected]]
Sent: Tue 17/12/2002 06:56
To: [email protected]
Cc:
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
Mell,
We did check the sync for both fws and both
seems to be up.
#cphaprob state
Run tcpdumps on both sides of
fws and both seems to have I/O
on the sync interfaces.
Nokia
Resolution - 3636
Said that it's a known issue and given some solution
to it but to
no avail. Cold start & link delay recogz didnt help
either.
FTP is still having problem failing back from Sec to
Primary.
Anyhow, we will check out the fw ctl pstat and look at the
connx
tables.
Thanks
Ay
----- Original Message
-----
From: "Mellor, Derin" <[email protected]>
To:
<[email protected]>
Sent: Thursday,
December 12, 2002 4:40 PM
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
> Have you checked whether the CP Sync is
operational?
>
> fw ctl pstat
>
> Reports the
current state of the sync process. This should report see
> both
incoming and outgoing packets at both firewalls.
>
> Better
still looking in the connection table for the ftp command and
> data
sessions at both firewalls.
>
> Derin
>
>
>
-----Original Message-----
> From: Alan Yeow [mailto:[email protected]]
>
Sent: 12 December 2002 02:13
> To:
[email protected]
> Subject: Re: [FW-1]
VRRP - NGFP 2 and IPSO3.5fcs10
>
>
>
Mell,
>
> This is not a cold reboot. We did a test by running
FTP thru the primary
> and pulled out the cable so that it fails
over to secondary (which it
> did in 4 secs) but when we plugged the
cable back in the primary again,
> it took approx 20 secs to
failback from secondary to primary and FTP
> stops.
>
>
Failover from Master to Secondary - 4 secs
> Failover from Secondary
back to Primary - 20 secs or more
>
> Well we did try the cold
start delay (30, 60, 120 secs) but didnt work
> though. Anyhow, we
will try again. There's a resolution from Nokia on
> this and we
tried it but couldnt get it to solve the problem.
>
> Any
other config that we shud try?
>
> Thank you.
>
Ay
>
> ----- Original Message -----
> From: "Mellor,
Derin" <[email protected]>
> To:
<[email protected]>
> Sent:
Tuesday, December 10, 2002 3:23 PM
> Subject: Re: [FW-1] VRRP - NGFP
2 and IPSO3.5fcs10
>
>
> > Is this a cold
reboot?
> >
> > VRRP is fairly slow recovering,
~20s.
> >
> > If the Master recovers VRRP will
immediately switch all session to
> > flow through the Master.
This can cause problems as CP might not have
> > finished
installing (i.e. it has the default filter loaded,
> >
synchronization of connection table is not complete).
> >
>
> The effect is that existing connections move back to the Master.
Until
>
> > the correct security policy and synchonization
is loaded the packets
> > will be at best dropped. Normally, once
CP is full initialized and
> > synchronized the sessions continue
- this will cause a glitch and
> > possibly dump
connections.
> >
> > From my testing it could take ~45s
for CP to initialize and
> > synchronize connection tables. To
solve this problem you need to hold
> > VRRP. In the VRRP
configuration page configure VRRP Cold Start Delay
> > to 60s
(this will ensure that CP initializes and synchronizes). This
> >
effectively delays VRRP from starting for the specified time
period.
> >
> > Assuming this is your issue, the recover
should be sleamless.
> >
> > Hope this of use.
>
>
> > Derin
> >
> >
> >
>
> -----Original Message-----
> > From: Alan Yeow [mailto:[email protected]]
>
> Sent: 09 December 2002 07:34
> > To:
[email protected]
> > Subject: [FW-1]
VRRP - NGFP 2 and IPSO3.5fcs10
> >
> >
> >
Hello all,
> >
> > Anyone experienced problems when
secondary fails back to primary fw?
> >
> > Problem is,
it takes 15-30 seconds to failback from secondary to
> > primary.
Secondly, after failing back from secondary to primary,
> >
existing FTP connections never continues.
> >
>
>
> > Here's a brief scenario on what's going on
> >
=================================================
> > 1. VRRP
alone on Nokia is working fine.
> > 2. Primary fails over to
secondary is working fine.
> > - Primary
is able to fail to secondary within 2-4 timeouts
>
> - Ping continues with only 2-4
timeouts
> > - FTP stops for fraction of
time and its able to continue
> >
> > BUT
>
>
> > 3. When failing back from secondary to primary it takes
approx
> > 15 - 30 request
timeouts.
> > - Ping session stops with
15-30 timeouts before replies comes in
>
> - FTP stops and never resumes connection even
after the ping
> > replies.
>
> (that means users will need
to reconnect and download again)
> >
> >
> >
Any ideas or solutions to this?
> >
> > Thanks
>
> Alan
> >
> >
=================================================
> > To set
vacation, Out Of Office, or away messages,
> > send an email to
[email protected]
> > in the BODY of the email
add:
> > set fw-1-mailinglist nomail
> >
=================================================
> > To
unsubscribe from this mailing list,
> > please see the
instructions at
> > http://www.checkpoint.com/services/mailing.html
>
> =================================================
> > If you
have any questions on how to change your
> > subscription
options, email
> > [email protected]
> >
=================================================
> >
>
>
> > <FONT
>
SIZE=1>*****************************************************************
>
****
> *
> > This email and any files transmitted with it
are confidential and
> > intended solely for the use of the
individual or entity to whom they
> > are addressed. If you have
received this email in error please notify
> > the sender
immediately and then delete from your system.
> >
> >
This footnote also confirms that this email message has been swept
for
>
> > the presence of known computer viruses.
>
>
> >
>
**********************************************************************</
>
FONT
> >
> >
> >
=================================================
> > To set
vacation, Out Of Office, or away messages,
> > send an email to
[email protected]
> > in the BODY of the email
add:
> > set fw-1-mailinglist nomail
> >
=================================================
> > To
unsubscribe from this mailing list,
> > please see the
instructions at
> > http://www.checkpoint.com/services/mailing.html
>
> =================================================
> > If you
have any questions on how to change your
> > subscription
options, email
> > [email protected]
> >
=================================================
>
>
=================================================
> To set vacation,
Out Of Office, or away messages,
> send an email to
[email protected]
> in the BODY of the email
add:
> set fw-1-mailinglist nomail
>
=================================================
> To unsubscribe
from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
=================================================
> If you have any
questions on how to change your
> subscription options,
email
> [email protected]
>
=================================================
>
>
=================================================
> To set vacation,
Out Of Office, or away messages,
> send an email to
[email protected]
> in the BODY of the email
add:
> set fw-1-mailinglist nomail
>
=================================================
> To unsubscribe
from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
=================================================
> If you have any
questions on how to change your
> subscription options,
email
> [email protected]
>
=================================================
=================================================
To
set vacation, Out Of Office, or away messages,
send an email to
[email protected]
in the BODY of the email add:
set
fw-1-mailinglist
nomail
=================================================
To
unsubscribe from this mailing list,
please see the instructions
at
http://www.checkpoint.com/services/mailing.html
=================================================
If
you have any questions on how to change your
subscription options,
email
[email protected]
=================================================
|
