[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hates me?
Hi, it may be related with limitation of CP sync. CP cannot synchronize security server connections like CVP. So it is why second module does not recover the ftp connections. You can see these limitations in cluster XL document of NG AI. I have also posted some port of limitations related with same problem before this mailing list. Also if any interface change happens, or policy is re-installed , firewall may drop data connections after fail-over if "keep all connections" is not checked in Cluster Object> Advanced > Connection Persistence. BR -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Accioly, Daniel Sent: 06 Aðustos 2003 Çarþamba 19:48 To: [email protected] Subject: [FW-1] IP Clustering with IPSO 3.7 CVP Problem - Does GOD hates me? Importance: High Hello Gurus, We are experiencing a very weird behavior of Firewall 1 AI within a customer. We currently have it deployed over a 2 Nokia IP 650 using IPSO 3.7 and running IP Clustering. We have are not using NAT or VPN. We are also using Trendmicro's Interscan Viruswall for Windows NT 3.52 and a CVP server for HTTP and FTP. The strange behavior is shown when we test the high availability feature of the load sharing capabilities of IP Clustering. When start a FTP connection and we turn of the firewall that is handling that particular connection, the other one does not take it over. It's something like this: If the FTP connection is going through firewall A and firewall A goes down, the connection is lost and must be re-established. If the FTP connection is going through firewall B and firewall B goes down, the connection is lost and must be re-established. If the FTP connection is going through firewall A and firewall B goes down, the connection is not affected. If the FTP connection is going through firewall B and firewall A goes down, the connection is not affected. In other words, the connection is lost if the firewall that goes down is the one the FTP connection was going through. I truly feel this is an incompatibility issue with CVP and IP Clustering, and it's by design. I have already notified checkpoint, but I'd like your opinion on this problem. Can someone give me some advice on this? Thank you! Regards Daniel Accioly Rosa, CISSP Consultant Global Infrastructure Services Phone :55+(21) 3804-5110 Net : 692-5110 UNISYS Imagine it. Done. > This message, including its attachments, is confidential and its contents > are restricted to the addressee. If you have received this message by > accident, please discard its contents by removing it from your mailbox. > Any unauthorized use of this message, replication or dissemination is > expressly prohibited. Unisys is not responsible for the content or > reliability of this information.. > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|