You are right ARP is really the problem if you use a Virtual [EMAIL PROTECTED] Therefore you have to assign a MAC-@ to the virtual [EMAIL PROTECTED]
If you use L2 Multicast you have to configure on the switch the relation virtual IP-@ multicast MAC-@ statically. Otherwise you have to set the virtual IP-@ unicast MAC-@ on the switch statically. We have more than 10 clusters working with L2 multicast without a problem. cheers Philipp >>> [EMAIL PROTECTED] 11.05.2004 23:32:04 >>> I ran into similar issue on my R55 HA new mode cluster when my Sync network when down. Check it out.. SJ -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Sawyer Sent: Friday, April 30, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP as with stonebeat i understand you must use arps on the switches for non-vrrp clustering to work. you may even need cams on the layer 2 side of the switches as well. Ugly but it does work. Douglas Sawyer Security Analyst 248-489-5016 [EMAIL PROTECTED] [EMAIL PROTECTED] >>> [EMAIL PROTECTED] 4/29/2004 9:56:15 AM >>> Try adding a static arp entry on the Ciscos for the cluster IP and MAC address of FW-1. That helped us with the cisco communication. -----Original Message----- From: Not Available [mailto:[EMAIL PROTECTED] Sent: April 29, 2004 8:28 AM To: [EMAIL PROTECTED] Subject: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP Hi all, two old enemies are allying with each other to pop up in my nightmares. Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest. Inside and DMZs, vanilla hub/switches. Outside, a hub connects the cluster to a couple of Cisco routers configured for HSRP redundancy. Tried out several configurations for the cluster, but the frustrating results seem to indicate there are serious problems having static NATs to work when working with the cluster: cannot reach NATed services from the outside. If I delete the cluster object, assign the Virtual IPs to physical interfaces to one node while the other is off, it works like a charm. Automatic ARP does it, OR I can turn it off and use local.arp file. Working with the cluster is a bit different: outgoing traffic (hidden behind cluster external interface) works, inbound traffic doesn't get to the servers. A little troubleshooting seems to blame ARP for it all. When using automatic ARP, no luck. Using local.arp file, makes no difference. Tried even fwparp.exe, but it worked a few hours then stopped (maybe when the router's arp cache flushed). I tried using unicast load sharing, multicast (even if my routers seem not to like mcast very much), HA new mode. Didn't try legacy mode yet, just because it is deprecated by CP's documentation. What turns out in every case is that the cluster seems able to ARP out for the cluster virtual IP address, but can't do it for NATed addresses, no matter how I try to set it up. Using automatic ARP it looks like it doesn't arp at all. Using local.arp would arp on both nodes, confusing the router (and it seems the effect is like no ARP at all...) Are there any experiences you can share on how to configure the cluster in such a configuration? Is it possible to make it work with static NAT? Should I use automatic ARP or what? Thanks you all in advance... NA ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
