Sergio,
I don't know if it's related to your problem but Since a few days ago
I'm having troubles with my Checkpoint deployment as in your case I had
made an upgrade from H55 to R60 a few months ago, from time to time I
lose connections over one of the DMZ configured in the ClusterXL, and
when that happens some connections over the active firewall are lost
too, one interesting thing and if you can confirm that I would
appreciate, is if you can find any alert in the Smartview tracker that
if reflected too in the Smartview Monitor indicating that a change of
Floodgate1 rule is applied, here every time the disconnection its going
to occur I register an event like this one:
Number: 12017
Date: 14Aug2006
Time: 13:50:15
Origin: srvcheckadm (x.x.x.x)
Application: System Monitor
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Table: thresholds
Object Type: threshold_event_string
Performed On: floodgate_application_SRVCHECK02_policy_time
Changes: eventData: changed from 'Mon Aug 14
13:07:12 2006' to 'Mon Aug 14 13:50:14 2006'
eventDetectionTime: changed from
'1155575235' to '1155577815'
Administrator: localhost
Client: srvcheckadm
Uid: {9532262F-461B-4F01-ACA7-4A183BD9F3BC}
Operation Number: 1
After that the disconnection occurs and if I want to be reconnected
again in a faster way I need to apply again the rules over the cluster.
I have this configuration:
Checkpoint version: NGX R60
O.S: Windows 2003 Server
ClusterXL mode: New Mode High Availability, with State Synchronization
QoS: Activated
ARP: Automatic ARP configuration is disabled
P.S. I'll check for that detail of the CPU usage during that event and
I'll confirm it.
If you want to talk about this please call me, this thing its killing
me.
Carlos Caballero
Ingeniero de comunicaciones
Banco Mercantil S.A.
La Paz - Bolivia
Telf: (591) 2 2409040 Ext.: 4441
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio
Alvarez
Sent: Viernes, 18 de Agosto de 2006 08:47 p.m.
To: [email protected]
Subject: [FW-1] Problems with ARP and CPU usage after R60HFA03 upgrade
Hello,
I currently have a customer with a HA (active/standby) pair of fw
modules
running over Solaris 9 and his Smartcenter running over Windows 2003
Server.
About 3 months ago we upgraded all that from R55 HFA18 to R60 HFA03 and
everything seem ok for quite a while. After that upgrade my customer
started
having conectivity issues from time to time, with a third party that
connects with them via one their DMZ interfaces, they worked on the
issue
but never found anything they could consider a problem with the cluster,
so
they had always blamed the other guys, but recently they found out that
everytime they install the CheckPoint security policy, both firewall
modules
get their CPU usage all the way to 100% (even the one in standby mode).
This situation lead to an investigation and gathering of data from both
machines at a platform level, and today they found logs on both machines
like this:
Proxy ARP problem? Hardware Address "XX:XX:XX:XX:XX:XX" thinks it is
YY.YY.YY.YY
Where XX.XX... is the MAC address of the machine that was in standby at
the
moment and YY.YY.... any of the IP addresses the firewall is supposed to
put
on the ARP table because is used on any of the automatic NAT rules.
Remember this logs were seen at the Solaris platform level in both
firewall
modules, Check Point logs show nothing we could relate to this incidents
and
the time stamps of the logs seem to indicate these events started
occuring
from time to time after the R60 HFA03 upgrade.
The first important detail here is that several switches between active
and
standby states occured for no apparent reason, although it does not seem
to
happen very often and it is still dificult to relate in time those
events
with the connectivity failures. The second interesting detail here is
that
at some point which ever module was running in standby module, attempted
to
put entries in the ARP table with its MAC address.
Somehting else my customer reported and I'm not quite sure if it is
related
or not with all this issues, is that on the CheckPoint logs he sees that
from time to time a single log originated by which ever module is in
standby
mode, shows it made a blocking (valid according to the policy), but less
than a second later, again the active module continues generating the
rest
of the logs, is like for less than a second the standby module processed
traffic and then returned to its standby state. I'm saying that I'm not
sure
if it is related with the other issues because I have never noticed such
behavior before on a HA environment but it could be considered normal by
someone else.
Sounds to me the high CPU usage and the ARP issues could be related with
some sort of bug, as none of them was experimented by my customer before
migrating from R55 to R60 HFA03, but does anybody know anything about
that?
I would really appreciate any help with this as SecureKnowledge has not
been
very helpful so far.
Regards
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
