I'm having some trouble with cluster XL, I been trying to set up a cluster but I been having problems with the synchronization. If I use each module alone everything works ok, If I use both the are some inestability in my network, the modules stop forwarding traffic for a little while, the everything back to normal, some applications are not working fine. I've been looking for errors and I get this
this error on the messages, a lot, sometimes every ten minutes, sometimes less. Jul 19 05:00:40 fwph2 kernel: FW-1: State synchronization is in risk. Please examine your synchronization network to avoid further problems ! Jul 19 05:00:40 fwph2 kernel: FW-1: It is recommended to set the global parameter fw_sync_block_new_conns to 0 Jul 19 05:00:40 fwph2 kernel: FW-1: Please refer to documentation for details on this issue. Any change must be applied to ALL cluster members Jul 19 05:00:40 fwph2 kernel: FW-1: fwldbcast_recv: delta sync connection with member 0 was lost and regained.587 updates were lost. Jul 19 05:00:40 fwph2 kernel: FW-1: fwldbcast_recv: received sequence 0x69c82 (fragm 0, index 1), last processed seq 0x69a36 Does anybody has any idea why is this happening? Or how to correct this? My configuration is two modules with SPLAT R55 HFA04, the synchronization network is through a switch. I'm using only HA. Best Regards Lino E. Avila [EMAIL PROTECTED] 52651700 ext. 1774 Nextel ID: 52*17946*47 Mobile: 55 24743746 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Layne Meier Sent: Wednesday, July 20, 2005 8:58 AM To: [email protected] Subject: Re: [FW-1] Cluster XL Problem I just implemented the recommended Cisco configuration information on my Cisco Swtiches and now I can do Load Sharing Multicast in my cluster. (See pages 37 and 38 of the NG-AI, R55 ClusterXL Configuration Guide - June 2003). Mind you, I'm running NG-AI, R55, HFA_R55_15 Thank you all for your assistance Layne Meier Atlanta, GA On Jul 20, 2005, at 9:17 AM, Cassell,Damon Z. wrote: > This is not necessarily true. I've found that Cisco 2950 switches are > plug and play when it comes to multicast addresses and ClusterXL. I'm > currently testing such a configuration. > > Page 52 of Checkpoint's ClusterXL R55 guide suggests some hardware, > and there is also an additional sk document mentioned there that talks > about specific switch configurations. > > Damon Cassell > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of > Timothy Arnold > Sent: Wednesday, July 20, 2005 7:56 AM > To: [email protected] > Subject: Re: [FW-1] Cluster XL Problem > > do you have a cisco router/switch in front of them? iirc they cannot > handle multicast addresses so you need to put a static arp entry in! > > > ----- Original Message ----- > From: "Layne Meier" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, July 20, 2005 12:38 PM > Subject: [FW-1] Cluster XL Problem > > >> I'm having a bit of trouble setting up a VPN-1/Firewall-1 Cluster. >> >> In my attempt, I have all of the appropriate licenses (VFF, >> ClusterXL, > >> Policy Server). >> >> I have set up a pair of Sun Netra T-1 105 servers, with a QuadFast >> Ethernet Adapter in each of them as the enforcement modules. I've >> set > up >> a Sun Netra X1 as the management server. All of these systems are > running >> Sun Solaris 8, with the appropriate Solaris patches required by > CheckPoint >> installed. >> >> I defined my cluster with the "virtual" IP Addresses that will be > used, >> defined the two enforcement modules as cluster members with unique IP >> Addresses for their local interfaces. Pushed a policy to them. >> >> All of this is pretty normal. However, here is my problem. >> >> If I establish my cluster as a Load Sharing, Multicast cluster, I can > only >> ping from my local network, the two unique IP Addresses of the LAN >> interfaces of the two enforcement modules. I cannot ping, the >> virtual > IP >> Address, the external unique IP Addresses, nor the virtual of them. >> >> If I change it to a Load Sharing, Unicast cluster, I can ping all >> interfaces, including all virtuals. I prefer the concept of a load >> sharing cluster without having a pivot system. >> >> Any thoughts as to why I can't get Load Sharing Multicast to work? >> >> Thank you, >> Layne Meier >> Atlanta, GA >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, send an email to >> [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your subscription options, >> email [EMAIL PROTECTED] >> ================================================= >> > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
