Hello, I currently have a customer with a HA (active/standby) pair of fw modules running over Solaris 9 and his Smartcenter running over Windows 2003 Server. About 3 months ago we upgraded all that from R55 HFA18 to R60 HFA03 and everything seem ok for quite a while. After that upgrade my customer started having conectivity issues from time to time, with a third party that connects with them via one their DMZ interfaces, they worked on the issue but never found anything they could consider a problem with the cluster, so they had always blamed the other guys, but recently they found out that everytime they install the CheckPoint security policy, both firewall modules get their CPU usage all the way to 100% (even the one in standby mode). This situation lead to an investigation and gathering of data from both machines at a platform level, and today they found logs on both machines like this:
Proxy ARP problem? Hardware Address "XX:XX:XX:XX:XX:XX" thinks it is YY.YY.YY.YY Where XX.XX... is the MAC address of the machine that was in standby at the moment and YY.YY.... any of the IP addresses the firewall is supposed to put on the ARP table because is used on any of the automatic NAT rules. Remember this logs were seen at the Solaris platform level in both firewall modules, Check Point logs show nothing we could relate to this incidents and the time stamps of the logs seem to indicate these events started occuring from time to time after the R60 HFA03 upgrade. The first important detail here is that several switches between active and standby states occured for no apparent reason, although it does not seem to happen very often and it is still dificult to relate in time those events with the connectivity failures. The second interesting detail here is that at some point which ever module was running in standby module, attempted to put entries in the ARP table with its MAC address. Somehting else my customer reported and I'm not quite sure if it is related or not with all this issues, is that on the CheckPoint logs he sees that from time to time a single log originated by which ever module is in standby mode, shows it made a blocking (valid according to the policy), but less than a second later, again the active module continues generating the rest of the logs, is like for less than a second the standby module processed traffic and then returned to its standby state. I'm saying that I'm not sure if it is related with the other issues because I have never noticed such behavior before on a HA environment but it could be considered normal by someone else. Sounds to me the high CPU usage and the ARP issues could be related with some sort of bug, as none of them was experimented by my customer before migrating from R55 to R60 HFA03, but does anybody know anything about that? I would really appreciate any help with this as SecureKnowledge has not been very helpful so far. Regards -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
