Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Brand new HA environment acting really weird - not failing over CORRECTLY

To: [email protected]
Subject: [FW-1] Brand new HA environment acting really weird - not failing over CORRECTLY
From: Daniel Samaan <[email protected]>
Date: Fri, 21 Feb 2003 08:53:04 -0600
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

ENVIRONMENT:
2 New IP530's (512MB)
IPSO 3.6 FCS6
Extra QUAD Quad (not in use yet)
FP3 HF-1
Policy Any Any
No Static or Proxy ARP entries at this time.

We will be using BIG-IP Link Controllers, but we are just testing failover
with just the Firewalls now.  When the LinkControllers are installed they
will be handling the inbound/outbound NAT.

DIAGRAM OF IP ADDRESSES:
FW1:
outside - 193.37.107.14
inside - 10.170.200.1
dmz - 192.168.101.1
default gateway is the Internet
static routes to all the internal networks are defined via 10.170.200.253

FW2:
outside - 193.37.107.15
inside - 10.170.200.2
dmz - 192.168.101.2

VIP with Monitored Circuits:
out - 193.37.107.16
in - 10.170.200.3
dmz - 192.168.101.3

Management station - 172.20.10.30

CORE ROUTER (with dual Ethernet interfaces):
Outside interface facing the firewall - 10.170.200.253 (default gateway is
the VIP - 10.170.200.3), (static routes to get to the FW's external IP
addresses via the FW internal IP addresses)
Inside interface  - 172.20.10.253

Outside Test PC - 193.37.107.11 (default gateway is the VIP 193.37.107.16)

PROBLEM:
- Inbound Failover works perfectly
-Outbound failover works perfect, IF YOU ARE ON THE 10.170.200.x network.
- VRRP works fine, a Nokia SE was on-site and did the config

1) outbound fails when on the 172.2010.x network --- When testing failover
while doing FTP or ping from an internal PC that is off the internal Core
Router (10.170.200.253/172.20.10.253), the failover doesn't work.  While
doing a tcpdump while a PING was going, both FW inside interfaces are
responding with Echo Requests and Echo Replies.

Correct me if I'm wrong, but I should be doing HIDE NAT on all the internal
networks so that it HIDES their IP's as the leave the firewall...RIGHT?
With that being said, I can get the failover to work PERFECTLY if I turn
off the NAT ONLY ON THE other internal network of the Core Router
172.20.10.x. While leaving NAT enabled on the locally attached FW network
(10.170.200.1).

State Synch:
Seems to be fine, when I do a 'fw tab -t connections -s ' the Values are
maybe off by 1 if that.

2) When I do a 'cphaprob state' , it shows they are both ACTIVE - Is this
correct?
 In earlier NG documents it says that the Secondary should be on STANDBY

3) When I do a 'cphaprob -i list' it shows that NO devices are bound.   A
document from Digital Migrations says it should come back with the
following information below, but mine comes back with nothing for all of
them - Is this correct?  The Nokia support tech I was talking to yesterday
says that his FW's show nothing.

Built-in Devices:
Device Name: Interface Active Check
Current state: OK
Device Name: HA Initialization
Current state: OK
Registered Devices:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 101.1 sec
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 101.1 sec
Device Name: fwd
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.4 sec

Daniel Samaan
Technical Security Consultant
CCSE, CCNA, CSPFA, CSVPN, CCA, MCSE+I
Cell:[email protected]

---------------------------------------------------------------------
Forsythe Solutions
5440 W. Fargo Avenue
Skokie, IL 60077
www.forsythesolutions.com

Building cost-effective IT infrastructure that organizations trust.

--------------------------------------------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error please notify the
originator of the message. This footer also confirms that this
email message has been scanned for the presence of computer viruses.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Runnins FW-1 SP5 on a Sun Ultra 5 Sparc.
Next by Date: [FW-1] SecurePlatform Token-Ring Card.
Previous by thread: Re: [FW-1] MSN Voice Chat
Next by thread: [FW-1] SecurePlatform Token-Ring Card.
Index(es):
- Date
- Thread