Nick,
I think it is best that I give you an example. Below is a configuration of a
pair of
Nokia IP530s in vrrp cluster running NG with AI R55w and HFA_04. If your
firewall
looks different than this, it means that something is wrong. Pay special
attention
to the "cphaprob state" output.
Let me know if you have questions.
Checkpoint-NG-1-P[admin]# iclid
Checkpoint-NG-1-P> sh vrrp
VRRP State
Flags: On,LocalReceive
10s coldstart delay (completed)
10 interface enabled
10 virtual routers configured
0 in Init state
0 in Backup state
10 in Master state
Checkpoint-NG-1-P> exit
Bye.
Checkpoint-NG-1-P[admin]#
Checkpoint-NG-1-P[admin]# cphaprob state
Working mode: Service
Number Unique Address State
1 (local) 192.168.1.1 active
2 192.168.1.2 active
Checkpoint-NG-1-P[admin]#
------------------------------
Checkpoint-NG-1-S[admin]# iclid
Checkpoint-NG-1-S> sh vrrp
VRRP State
Flags: On,LocalReceive
10s coldstart delay (completed)
10 interface enabled
10 virtual routers configured
0 in Init state
10 in Backup state
0 in Master state
Checkpoint-NG-1-S> exit
Bye.
Checkpoint-NG-1-S[admin]# cphaprob state
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 active
Checkpoint-NG-1-S[admin]#
Nick Whitworth <[EMAIL PROTECTED]> wrote:
Thanks for the reply.
Show vrrp shows what I'd expect.
On the master, cphaprob state shows firewall state down. On the backup,
firewall state is active. Is this what you'd expect?
Thanks
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of cisco4ng
Sent: 04 June 2006 21:45
To: [email protected]
Subject: Re: [FW-1] connection synching
Nick,
If they both have the same # connections, it means that you're in trouble.
Because you're running VRRP cluster, the standby will have almost zero
connections (34 connections is mainly administrative connections from the
SmartCenter and from Active firewall). To make sure that your cluster
is functioning properly, you need to the following:
1) On the nokia IP530s, do "iclid" and "show vrrp", you should see all masters
on the Active nokia and all backups on the standby nokia,
2) do a "cphaprob state" on both the nokia and you will see both
"active/active".
If both nokias meet the above requirements, life is good.
Nick Whitworth wrote: Hi,
We have a pair of ip 530s in a vrrp cluster. I have used the fw tab -t
connections -s command to see if they are synching properly. The active
cluster member is showing 622 connections but the backup member is
showing 34 connections. Any idea how can I get them in synch? They have
both been rebooted already.
Thanks,
______________________________________________
Nick Whitworth - Systems Specialist
t +44 (0) 1483 816712 | m +44 (0) 7946 520697 | f +44 (0) 1483 816545
a Detica | Surrey Research Park | Guildford | GU2 7YP | UK
______________________________________________
www.detica.com
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings with
other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
