|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hat es me?
John, There are two full 100-Mbit networks available for state sync: one for checkpoint sync and other for IPSO xpand traffic... just as recommended on nokia's and checkpoint's docummentation. The switches are with multicast enabled and configured as suggested. I have also checked the tables using a command I don't recall (it shows the connection tables content) on both machines consoles at the same time. The result was identical... Also I have to say that the network is not in production yet, and the traffic is minimum... I have checked the memory and cpu usage and saw that there is no performance problems. We have tryed lowering the sync time, but the result was the same. Does GOD hates me or it's just another checkpoint BUG? :) I trully want to know if there is anyone using load sharing capabilities with Cluster XL or IP Clustering and CVP. Please also tell me if there is NAT or VPN involved. I'm trying to identify if this is a "by design" problem or not. HELP ME GURUS! Tks Daniel -----Original Message----- From: Morhous, John [mailto:[email protected]] Sent: quarta-feira, 6 de agosto de 2003 16:58 To: [email protected] Subject: RE: [FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hates me? Clustering on the Nokia's are just going to handle IP based failovers; state-sync through Checkpoint would be responsible for failing over a specific TCP session through the firewalls. Is state-sync working right (cphaprob state from IPSO cmd prompt)? Does the state-sync network have enough bandwidth to adequately sync up? -JTM -----Original Message----- From: Accioly, Daniel [mailto:[email protected]] Sent: Wednesday, August 06, 2003 12:48 PM To: [email protected] Subject: [FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hates me? Importance: High Hello Gurus, We are experiencing a very weird behavior of Firewall 1 AI within a customer. We currently have it deployed over a 2 Nokia IP 650 using IPSO 3.7 and running IP Clustering. We have are not using NAT or VPN. We are also using Trendmicro's Interscan Viruswall for Windows NT 3.52 and a CVP server for HTTP and FTP. The strange behavior is shown when we test the high availability feature of the load sharing capabilities of IP Clustering. When start a FTP connection and we turn of the firewall that is handling that particular connection, the other one does not take it over. It's something like this: If the FTP connection is going through firewall A and firewall A goes down, the connection is lost and must be re-established. If the FTP connection is going through firewall B and firewall B goes down, the connection is lost and must be re-established. If the FTP connection is going through firewall A and firewall B goes down, the connection is not affected. If the FTP connection is going through firewall B and firewall A goes down, the connection is not affected. In other words, the connection is lost if the firewall that goes down is the one the FTP connection was going through. I truly feel this is an incompatibility issue with CVP and IP Clustering, and it's by design. I have already notified checkpoint, but I'd like your opinion on this problem. Can someone give me some advice on this? Thank you! Regards Daniel Accioly Rosa, CISSP Consultant Global Infrastructure Services Phone :55+(21) 3804-5110 Net : 692-5110 UNISYS Imagine it. Done. > This message, including its attachments, is confidential and its > contents are restricted to the addressee. If you have received this > message by accident, please discard its contents by removing it from > your mailbox. Any unauthorized use of this message, replication or > dissemination is expressly prohibited. Unisys is not responsible for > the content or reliability of this information.. > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
