[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] possible VRRP issue and TCP out of sync errors
Yep, it's pointing to the VRRP mac. I actually got it to start working finally. I had 3 VLANs on a single switch, 1 for the external VRRP connections, 1 for the internal VRRP connections, and 1 for the DMZ VRRP connections. I took the external connections out and put them on a separate, small switch and it began to work. The VLAN is configured properly so I don't know why it was forcing the returning traffic onto the second firewall but it was. Thanks for the suggestion. Eric -----Original Message----- From: Scott Friedman [mailto:[email protected]] Sent: Thursday, August 28, 2003 2:01 PM To: [email protected] Subject: Re: [FW-1] possible VRRP issue and TCP out of sync errors Check the arp cache on the DMZ server.. Make sure the IP that it's Sending it's traffic to is using the VRRP mac and not the real one... Scott Friedman Security Engineer - NG CCSE [email protected] Advanced Network Solutions 1750 S. Telegraph Rd Suite 100 Bloomfield Hills, MI 48302www.advnetworks.com -----Original Message----- From: Lewis, Eric [mailto:[email protected]] Sent: Thursday, August 28, 2003 12:54 PM To: [email protected] Subject: [FW-1] possible VRRP issue and TCP out of sync errors I have two IP330's(FP4 w/AI) that have a single DMZ hanging off of them with all interfaces VRRP'ed. I have a single server on the DMZ that keeps getting out of sync errors due to outbound traffic being sent to one firewall while inbound comes from the other firewall. This should not be occurring since they are VRRP'ed. Everything else on the other internal interface passes traffic back and forth just fine. If I fault everything over to the second firewall it works fine. If I fault everything over to the first firewall the server in the DMZ still won't send traffic out the firewall interface. It is like the traffic from the DMZ will only go one way out although it's default route is the VRRP address. Any insights? Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH Network Security Officer================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|