I configured the VRRP in legacy mode (monitored circuit). All seems OK.
############################################################################
##################
FW1 FW2
VRRP State VRRP
State
Flags: On,LocalReceive Flags:
On,LocalReceive
30s coldstart delay (completed) 30s
coldstart delay (completed)
9 interface enabled 9
interface enabled
9 virtual routers configured 9 virtual
routers configured
0 in Init state 0 in Init
state
0 in Backup state 9 in
Backup state
9 in Master state 0 in
Master state
############################################################################
##################
It works fine after I have upgraded from
-----Urspr�ngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Auftrag von
Ganesharatnam C
Gesendet: Samstag, 18. Oktober 2003 01:25
An: [EMAIL PROTECTED]
Betreff: Re: [FW-1] AW: [FW-1] VRRP Nokia / CP-NG
How did you configure the VRRP in 3.7 ?
- Legacy mode ?
- Cluster mode ?
Did you configure the monitoring circuit in the VRRP ?
Did you try a restart the HA module ?
My understanding is You manage to failover, iclid>sh vrrp shows that the fw1
is backup and fw2 is master. And you also manage to failback, but the state
session does not get transferred. Is this assumption right ?
How did you fail over ?, physically or through the voyager (uncheck the
interface). I have faced a problem before that if you unplug the cable
manually, it takes some time for it to reinstate the interface state, i
assumed it was something to do with the switch, but when I tried it through
Nokia Voyager, I down the int from the GUI, it works fine.
Some ways to troubleshoot the connections status.
fw tab -t connections -s (to check for the connection state)
iclid > sh vrrp
tcpdump the sync int.(you should see both I and O)
Cheers
Ganesh C
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Hintz
Marc
Sent: Friday, October 17, 2003 12:19 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] AW: [FW-1] VRRP Nokia / CP-NG
For example, I lost the ssh-session through the firewall if the
master shift from one to the other. I have to reconnect since
I have upgraded. I can't see traffic on the vrrp-sync interface?
I think I should see the informations about the connections
for the backup firewall?
Best regards
Marc
-----Urspr�ngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Auftrag von
Ganesharatnam C
Gesendet: Freitag, 17. Oktober 2003 18:48
An: [EMAIL PROTECTED]
Betreff: Re: [FW-1] VRRP Nokia / CP-NG
What do you mean the new master lost all the old connections ?
Thanks
Ganesh C
I have a Nokia IP440/IPSO 3.7 cluster with CP-NG FP3. The Nokia VRRP works
fine until
I have upgraded from IPSO 3.5 / CP-4.1. The shifting from the master to the
backup
works fine. But the new master lost all the old connections.
I have made the changes from Nokia Resolution 13770 in the CP-rulebase. No
effect!
The VRRP sync runs over a dedicated interface. I can't see any traffic on
these interfaces.
A ping from one to the other on these interfaces works. On the other
interfaces
I can see the VRRP traffic:
tcpdump: listening on eth-s3p1
11:50:00.710385 O 10.62.32.66 > 224.0.0.18: VRRPv2-adver 20: vrid 65 pri
250 [tos 0xc0]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
