Gurus,
I have a pair of Nokia IP650s running IPSO 3.7.1 build 24 with NG with AI
R55w HFA_04. They are being managed by Provider-1 NG with AI R55w running
on solaris.
I have a dedicate "sync/failover" interface for the nokia. Here is my
"iclid" and "cphaprob state" on both Nokias. Because I am running Nokia
VRRP,
NOT clusterXL, and that eth-s2p4 is my synchronization interface:
Checkpoint-NG-1-P[admin]# iclid
Checkpoint-NG-1-P> sh vrrp
VRRP State
Flags: On,LocalReceive
10s coldstart delay (completed)
10 interface enabled
10 virtual routers configured
0 in Init state
0 in Backup state
10 in Master state
Checkpoint-NG-1-P> exit
Bye.
Checkpoint-NG-1-P[admin]#
Checkpoint-NG-1-P[admin]# cphaprob state
Working mode: Service
Number Unique Address State
1 (local) 192.168.1.1 active
2 192.168.1.2 active
Checkpoint-NG-1-P[admin]#
------------------------------
Checkpoint-NG-1-S[admin]# iclid
Checkpoint-NG-1-S> sh vrrp
VRRP State
Flags: On,LocalReceive
10s coldstart delay (completed)
10 interface enabled
10 virtual routers configured
0 in Init state
10 in Backup state
0 in Master state
Checkpoint-NG-1-S> exit
Bye.
Checkpoint-NG-1-S[admin]# cphaprob state
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 active
Checkpoint-NG-1-S[admin]#
Now when I run "tcpdump -i eth-s2p4" I notice that there are lot of "cpha
8116"
traversing the sync interface. They seem to be ok. I do not see this
traffic on
the other 9 interfaces:
10:28:09.489970 O CPHA 0.0.0.0.8116 > 192.168.1.0.8116: ifc 8 smach 0 dmach
65534 op new-sync
10:28:09.580113 O CPHA 0.0.0.0.8116 > 192.168.1.0.8116: ifc 8 smach 0 dmach
65534 op new-sync
10:28:09.739980 O CPHA 0.0.0.0.8116 > 192.168.1.0.8116: ifc 8 smach 0 dmach
65534 op new-sync
10:28:09.739985 O CPHA 0.0.0.0.8116 > 192.168.1.0.8116: ifc 8 smach 0 dmach
65534 op new-sync
-------------------------
when I swith the nokia to a pair of Dell servers running Checkpoint
secureplatform
with ClusterXL instead of Nokia VRRP. The Enforcement Module is running in
Active/Standby mode. The problem I am seeing that CPHA 8116 traffics on ALL
interfaces, not just the sync interface. It is basically flooding my Cisco
switches.
Granted that this is ok for a single customers but as put more and more
customers
on the network, it will become a problem.
my question is this, is it possible to restrict traffic CPHA 8116 only to the
sync
interface in a clustered environment? I was able to do it in Nokia
appliances but
not with Secureplatform. I suspect that it has to do with ClusterXL.
comments anyone? TIA
cisco4ng
---------------------------------
Sneak preview the all-new Yahoo.com. It's not radically different. Just
radically better.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
