|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Nokia IPSO cluster - secondary answering arp requests
Thanks for your reply Shawn. I have them both set to the VMAC. What is happening is that both reply to the arp request, which I have since learned they are supposed to do. The switch is only keeping the MAC on the port that last responds. So many of my proxy-arp addresses are being sent to the port the secondary is connected to. I was given a tip from a local Nokia SE, who said to configure backup VRRP addresses instead of proxy-arp addresses. I have not done this yet, but think it will work. My main external VRRP address never had the problem like the proxy-arp addresses. I did some sniffing and found out that the secondary will not respond to arp requests for VRRP addresses, when it is in slave mode. My next concern is then a failover scenario. I will need to wait for the arp cache to time-out before another arp request, which the new master will then respond for. How should this work in and ideal situation? My router is a Cabletron SSR-8000 (now Enterasys). I will give them a call today as well. Thanks again. -Aaron -----Original Message----- From: Shawn Behrens [mailto:[email protected]] Sent: Wednesday, February 19, 2003 7:35 PM To: [email protected] Subject: Re: [FW-1] Nokia IPSO cluster - secondary answering arp requests The proxy ARP on both firewalls should be set up with the VRRP MAC address, not the interface MAC. That way, both might respond, but traffic goes to the VRRP MAC, which is handled by the master. Did you set your proxy ARPs up with VRRP MAC or the physical interface MAC? Shawn > -----Original Message----- > From: <Aaron Reynolds> [mailto:[email protected]] > Sent: Wednesday, February 19, 2003 5:11 PM > To: [email protected] > Subject: [FW-1] Nokia IPSO cluster - secondary answering arp requests > > > I have two Noka IP650s running IPSO 3.5 FCS8 / 4.1 SP6. I > just removed a > hub that was sandwiched between the cluster and the upstream > router. Since > doing that, I have noticed that the secondary is responding > to arp requests > for some of the virtual IPs. For instance we have a > proxy-arp entry on both > firewalls for the static address of our mail server. About 3 > times, since > pulling out the hub, the secondary has responded for the arp > request for our > mail server public address. At that point mail traffic > stops, because the > upstream router is sending all traffic to the secondary > firewall port, which > ignores all traffic. Anybody have any idea about this? > Thanks for any > help. > > -Aaron > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.activis.com This annotation was added by the e-scan service. http://www.activis.com ---------------------------------------------------------------------------- ------ This message has been checked for all known viruses by e:)scan. For further information please contact [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
