We recently ran into the same problem here. I would throw in the towel and set up your arp's on the router rather than the firewall. We did that and it worked fine.
-- Craig Baltes CCSE, GCIA Senior Information Security Analyst LURHQ [EMAIL PROTECTED] On Thursday 29 April 2004 08:27 am, Not Available wrote: > Hi all, > > two old enemies are allying with each other to pop up in my nightmares. > > Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest. > > Inside and DMZs, vanilla hub/switches. > Outside, a hub connects the cluster to a couple of Cisco routers configured > for HSRP redundancy. > > Tried out several configurations for the cluster, but the frustrating > results seem to indicate there are serious problems having static NATs to > work when working with the cluster: cannot reach NATed services from the > outside. > > If I delete the cluster object, assign the Virtual IPs to physical > interfaces to one node while the other is off, it works like a charm. > Automatic ARP does it, OR I can turn it off and use local.arp file. > > Working with the cluster is a bit different: outgoing traffic (hidden > behind cluster external interface) works, inbound traffic doesn't get to > the servers. > > A little troubleshooting seems to blame ARP for it all. When using > automatic ARP, no luck. Using local.arp file, makes no difference. Tried > even fwparp.exe, but it worked a few hours then stopped (maybe when the > router's arp cache flushed). > > I tried using unicast load sharing, multicast (even if my routers seem not > to like mcast very much), HA new mode. Didn't try legacy mode yet, just > because it is deprecated by CP's documentation. > > What turns out in every case is that the cluster seems able to ARP out for > the cluster virtual IP address, but can't do it for NATed addresses, no > matter how I try to set it up. > > Using automatic ARP it looks like it doesn't arp at all. > > Using local.arp would arp on both nodes, confusing the router (and it seems > the effect is like no ARP at all...) > > Are there any experiences you can share on how to configure the cluster in > such a configuration? Is it possible to make it work with static NAT? > Should I use automatic ARP or what? > > Thanks you all in advance... > > NA > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
