Thanks for the reply. Looks like my user center account doesn't have
access to that SK.
Actually, I had already tried it with dashes instead of underlines, but
tried what you've mentioned on my test boxes. I still don't get the
active member of cluster acknowledging the second VIP. Dashboard is fine
with it, firewalls allow me to push simple rulebase to cluster, but the
active member never arps for the second VIP.
I do see an error in fwd.elg on both test boxes that makes me wonder. I
see that there's an SK30154 that talks to this, but again I can't reach
it. Have to figure out what happened to my co's support I guess:
fwarp_initialize_myself: unable to find mac address for interface eth1_1
fw_auto_arp: Unable to initialize
So I have to statically set a mac address for eth1_1 on each box that
matches eth1, and then clusterxl will pick it up? Or will this give me
two boxes arping for the secondary vip?
Jim Johnson wrote:
Don't use the colon in the FW interface name. For example use "eth0_0".
See sk25674 for more info.
-----Original Message-----
This is probably a rhetorical question, but why does Checkpoint allow
the usage of subinterfaces in SPLAT if the Checkpoint software can't
handle their usage???
- SPLAT, like all linux, has subinterfaces available, of the format
eth#:#. That way you can have multiple IP's on the same
physical interface.
- Checkpoint Dashboard cannot see the subint's in a GET request, and
cannot handle colons in interface names when defining topology.
- This renders the usage of subinterfaces in a ClusterXL pair invalid
and and apparently impossible.
Has anyone managed to set up SPLAT-ClusterXL-HA pair with multiple
virtual IP's per physical interface without rearchitecting and using
VLANs (just a tad hard with an enterprise DMZ with 350+ hosts in it)?
I'm doing it in IPSO, just because ipso is doing the heavy lifting of
virtual ip setups. I wanted to move to SPLAT and ClusuterXL, since my
poor little IP530s are becoming horrendously underpowered, but this
environment has grown organically in the past, and I've got interfaces
with multiple subnets on them.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
