Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems

To: [email protected]
Subject: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
From: "Vogel, Jochen" <[email protected]>
Date: Wed, 17 Sep 2003 18:47:50 +0200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Thread-index: AcN8SWai+hdUGHDLSbatYE5DM6krLwA8aEIw
Thread-topic: [FW-1] AW: [FW-1] Stonebeat Sync Problems

Hi,

here is the nice answer from stonebeat

FullCluster can be used with firewalls that do not have any state sync mechanism as well as with those firewalls, that have state sync mechanism.
Even if firewall has a state sync mechanism, there can be reasons why that mechanism can not be used. During upgrade, when nodes have different versions from firewall software, state sync can crash the system. Some memory structure problems are more easily seen when state information is synced. A bug or limitation in the firewall software can prevent using sync in some platforms or in the case of some special kind of traffic.

FullCluster has been designed in a way that it does not need state sync during normal operation. Instead of trusting that state sync fixes problems with asymmetry, connections are handled symmetrically. The role of state sync is only to support fail-over of connections when there is a need to move connections between nodes. If state sync can not be used, then existing connections are lost in such situation.

State sync is a FW-1 feature, that has been in FW-1 for a long time. Currently it is located and configured under ClusterXL settings, even when using state sync does not need any clusterXL license or actual clusterXL functionality. When some FW-1 version is tested with FullCluster, it does not mean that this specific FW-1 version is claimed to be free from limitations and bugs. It is tested that FullCluster does not prevent the firewall version from operating at the level that FW-1 version operates. Installing FullCluster does not remove any limitations that FW-1 version might have. 

------------------------------------------------------

today i upgraded all checkpoints to NG AI.
it seems to be working fine.

regards
jo


> -----Ursprüngliche Nachricht-----
> Von: Ruiyuan Jiang [mailto:[email protected]]
> Gesendet am: Dienstag, 16. September 2003 13:27
> An: [email protected]
> Betreff: Re: [FW-1] AW: [FW-1] Stonebeat Sync Problems
> 
> Yes, you can install StoneBeat FullCluster 3.0 with Solaris 9 
> but CheckPoint
> NG FP3's state sync does not work with Solaris 9 and that is where the
> problem is.
> 
> Ryan Jiang
> 
> -----Original Message-----
> From: Edouard Zorrilla [mailto:[email protected]]
> Sent: Monday, September 15, 2003 3:26 PM
> To: [email protected]
> Subject: Re: [FW-1] AW: [FW-1] Stonebeat Sync Problems
> 
> 
> So, can I install StoneBeat FullCluster 3.0 with Solaris 9 ?. 
> By the way,
> somebody has installed SBFC 3.0 with Solaris 9?, i have 
> serious problems
> doing it. I was wandering if you would mind send me some 
> manual instalation
> for it !
> 
> Thanks for your help
> 
> Edouard Zorrilla
> ----- Original Message -----
> From: "Vogel, Jochen" <[email protected]>
> To: <[email protected]>
> Sent: Monday, September 15, 2003 12:54 PM
> Subject: [FW-1] AW: [FW-1] Stonebeat Sync Problems
> 
> 
> hi ryan,
> 
> in the release notes solaris9 (64bit) are supported
> ftp://download.stonesoft.com/web/Support/StoneBeat/PublicDocs/
> FullCluster/fw
> -1/3.0/release-notes/sbfc30sp3-2relnote.pdf
> 
> 
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Ruiyuan Jiang [mailto:[email protected]]
> > Gesendet am: Montag, 15. September 2003 19:24
> > An: [email protected]
> > Betreff: Re: [FW-1] Stonebeat Sync Problems
> >
> > I think CheckPoint only certifys Solaris 8 with NG FP3. NG
> > FP3 does not
> > support Solaris 9 with State Sync. You have to downgrade to
> > Solaris 8. That
> > is what happened to me when I first installed Solaris 9.
> >
> >
> > Ryan Jiang
> > Senior UNIX adminstrator
> >
> > -----Original Message-----
> > From: Vogel, Jochen [mailto:[email protected]]
> > Sent: Monday, September 15, 2003 12:13 PM
> > To: [email protected]
> > Subject: [FW-1] Stonebeat Sync Problems
> >
> >
> > Hi,
> >
> > i use
> > -Solaris9
> > -Stonebeat3.0SP2
> > -CheckpointNG.FP3.HF2
> >
> > -the cluster object is created and sync enabled
> > -the sync is in cpconfig enabled
> >
> > if i ping from the cluster an other system i get drops from
> > one system with
> > out of state messages
> >
> > with fw tab -t connections -f i can see that the state table doesn´t
> > correlate.
> >
> > with fw ctl pstat i can see that the snyc send but didnt receive
> > sync new ver working
> > sync out: on  sync in: on
> > sync packets sent:
> > total: 16 retransmitted: 0 retrans reqs: 0 acks: 0
> > sync packets received:
> > total 0 of which 0 queued and 0 dropped by net
> > also received 0 retrans reqs and 0 acks to 0 cb requests
> >
> > if i try to ping the other machine in the heartbeat net i get
> > Sep 15 18:02:35 cfwc1n1.activest.de fw: fwstrmod_filter(out):
> > no interface
> > information (eab1d8)
> >
> > at boottime i can see
> > configuring IPv4 interfaces:NOTICE: sbuwput_proto(29): DL_OUTSTATE
> > ip: joining multicasts failed (3) on sbif0 - will use link
> > layer broadcasts
> > for multicast
> >
> > ifconfig sbif0 shows
> > sbif0:
> > flags=1001843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,IPv4> mtu
> > 1500 index 2
> > inet 192.168.92.33 netmask fffffff0 broadcast 192.168.92.47
> >
> > ether 8:0:20:c9:44:49
> >
> > thx for help
> > jo
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
  - From: Skar <[email protected]>

Prev by Date: Re: [FW-1] NG FP4 VPN does not work bi-directionally
Next by Date: [FW-1] Help with setting up a VPN between NG, Netscreen and Netgear
Previous by thread: Re: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
Next by thread: Re: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
Index(es):
- Date
- Thread