Thanks for reply, I see Multicast or Unicast in Cluster XL LOAD SHARING config options. Do you thing that all I have to do is delete static arp entry in router, check Unicast in Cluster XL LOAD SHARING config options and install policy ? Is that something else what I have to do?
And will it be still Load sharing including FW outside interface? thanx >Od: Cecoban, S. A. de C. V. - Romey Valadez [mailto:[EMAIL PROTECTED] >Odoslané: 6. júna 2005 21:21 >Komu: [email protected] >Predmet: Re: [FW-1] Cluster XL vs Cisco static arp > > >Because you need apply a static arp in your routers i think that you have a >Cluster XL in Multicast-Mode, your switch may be doesn't support >multicast-mode. The ICMP TTL Count Exceeded appears because when a router >delivers a packet this is sending to Multicast destination, some switches (or >hubs) don't understand Multicast and they don't know where multicast mac >address is connected for these reason the switch send this packet to all ports >in the same VLAN, then this packet is recived for the CheckPoint Cluster and >the other Cisco router, with CheckPoint don't have problem because it know how >process the packet, but with Cisco router when recives the packet think that >this packet needs to be routed, then check his routing tables and if the >destination is the same Cluster XL then this packet is delivered to the same >Multicast address (remember that both cisco have the same static arp) >repeating this process until TTL reaches zero (For each recive an transmit the >same packet! ! >the TTL decreases). > > >You will need check if your switches support Multicast or change your mode to >Unicast (for this you will need delete the statics arps in your routers) > > >Regards > >Romey Valadez > >-----Mensaje original----- >De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre >de nl >Enviado el: Lunes, 06 de Junio de 2005 01:02 a.m. >Para: [email protected] >Asunto: [FW-1] Cluster XL vs Cisco static arp > > >Hi, > >I have problem with implementation Cluster XL R55 and two Cisco routers >(HSRP). >Our company has two connections to ISP -> two CISCO router 2801 + 4esw switch >card. Before, when only one connection was designed (and one router) all works >fine. It was static arp entry for Cluster XL MAC on the router. >But now, when two routers are designed (HSRP) I cannot add static arp on both >routers. If it is added only on one of them, all works fine, but if I set up >static arp entry on both routers then traffic looks like "crazy": >-upstream is bigger like downstream (normally upstream is max 10% of >downstream) >-there is a lot of error messages in CP FW: ICMP: Source-Cluster XL IP, >Dst-Cluster XP IP, Echo request :message_info: cluster member IP is being >spoofed >-there is a lot of error messages in CP FW: ICMP: Time-To-Live Count Exceeded >-I have tu tell that some traffic passing through the FWs and routers but its >very strange to explain this. >So now I have static arp entry only on one router, but this router is now >critical-> If the router is down - internet connection is down too. > >Can somebody help me with this issue? > >thanx > > > > > > > > > >Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. >http://mail.atlas.sk > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. http://mail.atlas.sk ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
