Hi, >>You will need .... change your mode to Unicast (for this you will need delete >>the statics arps in your routers) I did that but another problem arised. Let me explain:
cphaprob state: FW1: 1(local) X.X.X.1 30% pivot 2 X.X.X.2 70% FW2: 1 X.X.X.1 30% pivot 2(local) X.X.X.2 70% It looks fine, but when I looked my CISCO mrtg statistics of external ports I find out that all traffic is passed through FW2. Than I looked to cisco routers on arp tables: CISCO1: X.X.X.1 XXXX.XXXX.XX63 (FW1) X.X.X.2 XXXX.XXXX.XX0a (FW2) X.X.X.3 XXXX.XXXX.XX0a (Cluster IP addres has MAC of FW2) It is very strange because FW1 is pivot and I was expect that Cluster MAC should be the same as FW1 MAC.?? Then I check arp tables on devices in DMZ and Internal LAN and all has X.X.X.3 XXXX.XXXX.XX63 (FW1-MAC) entry in arp tables. I thing thats right. Then I put my notebook with Ethereal sniffer on external LAN between CISCO routers and FWs. Step by Step: 1.arp table on notebook is empty 2.ping something in internal LAN 3.arp table on notebook: X.X.X.3(cluster IP) XXXX.XXXX.XX63 (FW1-MAC) -> Its OK 4.browse our DMZ web server 5.arp table on notebook: X.X.X.3(cluster IP) XXXX.XXXX.XX0a (FW2-MAC) -> Its wrong, I thing. I looked in ethereal: First notebook send arp request "Who has X.X.X.3 tell notebookIP". Then obtain response from FW1 with FW1 MAC. But after I started brows web server in DMZ, notebook obtain two arp broadcasts "Who has X.X.X.3 Tell X.X.X.3", One from FW1 and then second from FW2. And because FW2 request was the last, notebook learn that FW2_MAC is cluster X.X.X.3 MAC. So I Thing that problem is that FW2 still present itself as X.X.X.3,but I dont understand why? Thanks for advice. >-----Pôvodná správa----- >Od: Cecoban, S. A. de C. V. - Romey Valadez [mailto:[EMAIL PROTECTED] >Odoslané: 7. júna 2005 21:36 >Komu: [email protected] >Predmet: Re: [FW-1] Cluster XL vs Cisco static arp > > >Yes, that's all, and your FW still load sharing in all interfaces and provides >you High Availability. You can see more details in checkpoint help (see help >in ClusterXL Modes in your managment station). This help explains all modes of >ClusterXL. > >Another think that know is the priority cluster members (you will see in >Cluster Members config options), Unicast mode needs a pivot and this is >asignated ussing the highest priority member available. > >I Hoppe this help you > >Regards >Romey Valadez > >-----Mensaje original----- >De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre >de nl >Enviado el: Martes, 07 de Junio de 2005 12:13 a.m. >Para: [email protected] >Asunto: Re: [FW-1] Cluster XL vs Cisco static arp > > >Thanks for reply, > >I see Multicast or Unicast in Cluster XL LOAD SHARING config options. Do you >thing that all I have to do is delete static arp entry in router, check >Unicast in Cluster XL LOAD SHARING config options and install policy ? Is that >something else what I have to do? > >And will it be still Load sharing including FW outside interface? > >thanx > >>Od: Cecoban, S. A. de C. V. - Romey Valadez [mailto:[EMAIL PROTECTED] >>Odoslané: 6. júna 2005 21:21 >>Komu: [email protected] >>Predmet: Re: [FW-1] Cluster XL vs Cisco static arp >> >> >>Because you need apply a static arp in your routers i think that you have a >>Cluster XL in Multicast-Mode, your switch may be doesn't support >>multicast-mode. The ICMP TTL Count Exceeded appears because when a router >>delivers a packet this is sending to Multicast destination, some switches (or >>hubs) don't understand Multicast and they don't know where multicast mac >>address is connected for these reason the switch send this packet to all >>ports in the same VLAN, then this packet is recived for the CheckPoint >>Cluster and the other Cisco router, with CheckPoint don't have problem >>because it know how process the packet, but with Cisco router when recives >>the packet think that this packet needs to be routed, then check his routing >>tables and if the destination is the same Cluster XL then this packet is >>delivered to the same Multicast address (remember that both cisco have the >>same static arp) repeating this process until TTL reaches zero (For each >>recive an transmit the same packe! t! >! >>the TTL decreases). >> >> >>You will need check if your switches support Multicast or change your mode to >>Unicast (for this you will need delete the statics arps in your routers) >> >> >>Regards >> >>Romey Valadez >> >>-----Mensaje original----- >>De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] >>nombre de nl >>Enviado el: Lunes, 06 de Junio de 2005 01:02 a.m. >>Para: [email protected] >>Asunto: [FW-1] Cluster XL vs Cisco static arp >> >> >>Hi, >> >>I have problem with implementation Cluster XL R55 and two Cisco routers >>(HSRP). >>Our company has two connections to ISP -> two CISCO router 2801 + 4esw switch >>card. Before, when only one connection was designed (and one router) all >>works fine. It was static arp entry for Cluster XL MAC on the router. >>But now, when two routers are designed (HSRP) I cannot add static arp on both >>routers. If it is added only on one of them, all works fine, but if I set up >>static arp entry on both routers then traffic looks like "crazy": >>-upstream is bigger like downstream (normally upstream is max 10% of >>downstream) >>-there is a lot of error messages in CP FW: ICMP: Source-Cluster XL IP, >>Dst-Cluster XP IP, Echo request :message_info: cluster member IP is being >>spoofed >>-there is a lot of error messages in CP FW: ICMP: Time-To-Live Count Exceeded >>-I have tu tell that some traffic passing through the FWs and routers but its >>very strange to explain this. >>So now I have static arp entry only on one router, but this router is now >>critical-> If the router is down - internet connection is down too. >> >>Can somebody help me with this issue? >> >>thanx >> >> >> >> >> >> >> >> >> >>Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. >>http://mail.atlas.sk >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= > > > > >Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. >http://mail.atlas.sk > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. http://mail.atlas.sk ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
