[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Brand new HA environment acting really weird - not failing over CORRECTLY
ENVIRONMENT: 2 New IP530's (512MB) IPSO 3.6 FCS6 Extra QUAD Quad (not in use yet) FP3 HF-1 Policy Any Any No Static or Proxy ARP entries at this time. We will be using BIG-IP Link Controllers, but we are just testing failover with just the Firewalls now. When the LinkControllers are installed they will be handling the inbound/outbound NAT. DIAGRAM OF IP ADDRESSES: FW1: outside - 193.37.107.14 inside - 10.170.200.1 dmz - 192.168.101.1 default gateway is the Internet static routes to all the internal networks are defined via 10.170.200.253 FW2: outside - 193.37.107.15 inside - 10.170.200.2 dmz - 192.168.101.2 VIP with Monitored Circuits: out - 193.37.107.16 in - 10.170.200.3 dmz - 192.168.101.3 Management station - 172.20.10.30 CORE ROUTER (with dual Ethernet interfaces): Outside interface facing the firewall - 10.170.200.253 (default gateway is the VIP - 10.170.200.3), (static routes to get to the FW's external IP addresses via the FW internal IP addresses) Inside interface - 172.20.10.253 Outside Test PC - 193.37.107.11 (default gateway is the VIP 193.37.107.16) PROBLEM: - Inbound Failover works perfectly -Outbound failover works perfect, IF YOU ARE ON THE 10.170.200.x network. - VRRP works fine, a Nokia SE was on-site and did the config 1) outbound fails when on the 172.2010.x network --- When testing failover while doing FTP or ping from an internal PC that is off the internal Core Router (10.170.200.253/172.20.10.253), the failover doesn't work. While doing a tcpdump while a PING was going, both FW inside interfaces are responding with Echo Requests and Echo Replies. Correct me if I'm wrong, but I should be doing HIDE NAT on all the internal networks so that it HIDES their IP's as the leave the firewall...RIGHT? With that being said, I can get the failover to work PERFECTLY if I turn off the NAT ONLY ON THE other internal network of the Core Router 172.20.10.x. While leaving NAT enabled on the locally attached FW network (10.170.200.1). State Synch: Seems to be fine, when I do a 'fw tab -t connections -s ' the Values are maybe off by 1 if that. 2) When I do a 'cphaprob state' , it shows they are both ACTIVE - Is this correct? In earlier NG documents it says that the Secondary should be on STANDBY 3) When I do a 'cphaprob -i list' it shows that NO devices are bound. A document from Digital Migrations says it should come back with the following information below, but mine comes back with nothing for all of them - Is this correct? The Nokia support tech I was talking to yesterday says that his FW's show nothing. Built-in Devices: Device Name: Interface Active Check Current state: OK Device Name: HA Initialization Current state: OK Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 101.1 sec Device Name: Filter Registration number: 1 Timeout: none Current state: OK Time since last report: 101.1 sec Device Name: fwd Registration number: 2 Timeout: 2 sec Current state: OK Time since last report: 0.4 sec Daniel Samaan Technical Security Consultant CCSE, CCNA, CSPFA, CSVPN, CCA, MCSE+I Cell:[email protected] --------------------------------------------------------------------- Forsythe Solutions 5440 W. Fargo Avenue Skokie, IL 60077 www.forsythesolutions.com Building cost-effective IT infrastructure that organizations trust. -------------------------------------------------------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. This footer also confirms that this email message has been scanned for the presence of computer viruses. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|