NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hates me?



Hello Gurus,

We are experiencing a very weird behavior of Firewall 1 AI within a
customer.

We currently have it deployed over a 2 Nokia IP 650 using IPSO 3.7 and
running IP Clustering. We have are not using NAT or VPN. We are also using
Trendmicro's Interscan Viruswall for Windows NT 3.52 and a CVP server for
HTTP and FTP.

The strange behavior is shown when we test the high availability feature of
the load sharing capabilities of IP Clustering. When start a FTP connection
and we turn of the firewall that is handling that particular connection, the
other one does not take it over. It's something like this:

If the FTP connection is going through firewall A and firewall A goes
down, the connection is lost and must be re-established.
If the FTP connection is going through firewall B and firewall B goes
down, the connection is lost and must be re-established.
If the FTP connection is going through firewall A and firewall B goes
down, the connection is not affected.
If the FTP connection is going through firewall B and firewall A goes
down, the connection is not affected.
In other words, the connection is lost if the firewall that goes down is
the one the FTP connection was going through.

I truly feel this is an incompatibility issue with CVP and IP Clustering,
and it's by design. I have already notified checkpoint, but I'd like your
opinion on this problem. Can someone give me some advice on this?

Thank you!

Regards

Daniel Accioly Rosa, CISSP
Consultant
Global Infrastructure Services
Phone :55+(21) 3804-5110
Net : 692-5110
UNISYS Imagine it. Done.

> This message, including its attachments, is confidential and its contents
> are restricted to the addressee. If you have received this message by
> accident, please discard its contents by removing it from your mailbox.
> Any unauthorized use of this message, replication or dissemination is
> expressly prohibited. Unisys is not responsible for the content or
> reliability of this information..
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.