[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG FP3 New HA Cluster Question
You can't ping the virtual IP of cluster on firewall machine itself. I have faced same problem in Nokia IP clustering. I think it is caused by icmp statefull inspection of checkpoint NG. Also, you can telnet the IP address of you can't ping. I have opened case for this problem to nokia and checkpoint. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Alberto Sent: Monday, February 24, 2003 11:38 AM To: [email protected] Subject: Re: [FW-1] NG FP3 New HA Cluster Question Hi I've have the same configuration, but I'm using load-sharing, and the same version and hardware. And the same ping problem. When the ping to the cluster ip works, the one to the fw ip does not work...and the reverse, whe the ping to the fw ip works, to the virtual ip fails. And just waiting a couple of minutes and if you ping first to the fw ip it works, but then the other does not. ..... It always works the first you try. I've some other problems that make me think about CP stability. For instance, the famous "connection to www server failed", when using http security server. I've learned to ignore users claims, because I just have to wait for the next day, without doing anything at all concerning this problem. "It'll work tomorrow, sure". I've seen it many times... Regards. Crowe, Robert W. wrote: >Sorry about the confusing, i should have been more specific. This is NG FP3 HF1 on Solaris 8. > > -----Original Message----- > From: Ted Serreyn [mailto:[email protected]] > Sent: Sat 2/22/2003 4:23 PM > To: [email protected] > Cc: > Subject: Re: [FW-1] NG FP3 New HA Cluster Question > > > > What type of hardware is this running on? > > > If you truly are running clustering on a nokia and not VRRP HA, then you > will not be able to ping the Virtual addresses. This is, IMHO, a major > problem with running clustering in the current generation of the ipso > based clustering. > > Ted Serreyn > > > > > > I have a NG FP3 HA cluster (not load-sharing) internal to the LAN not doing > > NAT, just packet-filtering. Should I be able to ping both cluster IP's? > > etc. see below: > > > > 1st side > > Cluster IP - 10.0.0.1 > > Firewall 1 - 10.0.0.2 > > Firewall 2 - 10.0.0.3 > > > > 2nd side > > Cluster IP - 192.168.1.1 > > Firewall 1 - 192.168.1.2 > > Firewall 2 - 192.168.1.3 > > > > Sometimes I can only ping the interfaces of Firewall 1 and the Cluster IP's > > Sometimes I can only ping the interfaces of Firewall 1 and Firewall 2 but > > not the Clutser IP's > > > > SmartView Status reports everything fine, and shows Firewall 1 as active > > and Firewall 2 as standy. > > Ive worked with many other vendors firewall clusters and I could always > > ping all interfaces and cluster IP's. > > -- > Ted Serreyn > Serreyn Network Services, LLC > http://www.serreyn.com/ > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|