I have been having a problem with our HA Checkpoint Firewall-1 solution for about 3 weeks now, and finally narrowed what the problem is. First a little background... Each Firewall has the same set of IP address/Mac addresses. One Firewall is active, while the other is in standby mode. Whenever there is a failover, manual or otherwise, the active firewall's interfaces go down, while the other firewall's interfaces come up. We are using (2) 5509's as our Ethernet switches, that are connected via a LANE module that goes up to a pair of 8540 ATM switches connected by an OC12 trunk. With each correspinding interface on each Firewall plugged into the same switch, the failover is totally transparent. As soon as the failover happens, the switch updates it's CAM table by removing the old port assignment, and adding the new one. The issue is that we are trying to have FWA plug into 5509A exclusively and FWB plug into 5509B exclusively. When we failover in that scenario, the new switch updates it's CAM entry, but the old switch never removes his. We have to wait for the "cam agingtime" to expire before that entry will be cleared out, and can start passing traffic again. On a subnet with 500 PC's hooked up, are there any issues with setting the agingtime down to 15 seconds, instead of the 5 minute default? Is there a cleaner solution to my problem? Any help or insight would be greatly appreciated. Sincerely, Matt Morrow _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
