Try adding a static arp entry on the Ciscos for the cluster IP and MAC address of FW-1. That helped us with the cisco communication.
-----Original Message----- From: Not Available [mailto:[EMAIL PROTECTED] Sent: April 29, 2004 8:28 AM To: [EMAIL PROTECTED] Subject: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP Hi all, two old enemies are allying with each other to pop up in my nightmares. Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest. Inside and DMZs, vanilla hub/switches. Outside, a hub connects the cluster to a couple of Cisco routers configured for HSRP redundancy. Tried out several configurations for the cluster, but the frustrating results seem to indicate there are serious problems having static NATs to work when working with the cluster: cannot reach NATed services from the outside. If I delete the cluster object, assign the Virtual IPs to physical interfaces to one node while the other is off, it works like a charm. Automatic ARP does it, OR I can turn it off and use local.arp file. Working with the cluster is a bit different: outgoing traffic (hidden behind cluster external interface) works, inbound traffic doesn't get to the servers. A little troubleshooting seems to blame ARP for it all. When using automatic ARP, no luck. Using local.arp file, makes no difference. Tried even fwparp.exe, but it worked a few hours then stopped (maybe when the router's arp cache flushed). I tried using unicast load sharing, multicast (even if my routers seem not to like mcast very much), HA new mode. Didn't try legacy mode yet, just because it is deprecated by CP's documentation. What turns out in every case is that the cluster seems able to ARP out for the cluster virtual IP address, but can't do it for NATed addresses, no matter how I try to set it up. Using automatic ARP it looks like it doesn't arp at all. Using local.arp would arp on both nodes, confusing the router (and it seems the effect is like no ARP at all...) Are there any experiences you can share on how to configure the cluster in such a configuration? Is it possible to make it work with static NAT? Should I use automatic ARP or what? Thanks you all in advance... NA ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
