Well
First of all, I should say or you use cluster xl or you use vrrp, I think that your problem resides there. I've never seen this configuration and I don't think is correct at all. Try using only vrrp. And verify if everything is working fine. Best regards lino -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Pedro Boavida Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m. To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] High Availability VRRP Outgoing traffic behavior Hi, I'd like some clarification regarding the following situation: Environment: Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60 HFA04) using 3rd Party VRRP High Availability and Cluster XL for the SyncNetwork VRRP: VRRP Monitored Circuits using Legacy Configuration 3rd Party Configuration (Cluster Object) Support for non-sticky connections - Disable Hide Cluster Members outgoing traffic behind the Cluster IP address - Enable Forward Cluster Incoming traffic to Cluster Members IP address - Enable Problem: Assuming this, when we initiate a connection from the active member, if we make a tcpdump, the connection SourceMac is the VRRP_MAC and SourceIP is the VIP, and in the SmartTracker we see the ip of the active member being Translated to the Cluster IP (VIP) by a implied rule, well this is the normal behavior. If we make a connection from the Standby member we see the connection getting out (SYN),the SourceMac is the LocalMac and SourceIP is the VIP from the member, and in the SmartTracker we see the ip of the standby member being Translated to the Cluster IP (VIP) by a implied rule, the connection is unsuccessful because the SYNACK will return to the VIP address and will be processed by the active member and so I cannot initiate any connection using the standby member, well this should be the normal behavior also. The problem is that, this behavior is not true on all interfaces of the standby member, in some interfaces the connection is initiated with SourceMAC=LocalMAC and SourceIP=LocaIP and in the SmartTracker we don't see the ip of the member being Translated to the Cluster IP (VIP) by a implied rule and of course with this behavior the tcp handshake is done and the connection is made. Can anyone tell which behavior to expect when initiating a connection from a standby member of a VRRPmc configuration regarding Source Mac address and source IP address used by the member? With the checkbox "Hide Cluster Members outgoing traffic behind the Cluster IP address" enable should not I expect the same behavior on all interfaces? Is there a configuration per interface? Thanks in advance. Pedro Boavida ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
