[FW-1] Wrong MAC problem with ClusterXL High Availability NGX R65

Tue, 25 Sep 2007 00:10:14 -0700 

Hello,
We have a strange problem with ClusterXL HA mode, version NGX R65, platform Solaris 9. 

Example:
External net 210.1.1.0/24
Cluster external IP 210.1.1.1
Member 1 external IP 210.1.1.2
Member 2 external IP 210.1.1.3

Member 1 is primary, Member 2 - secondary.

Internal net 10.1.1.0/24
Cluster internal IP 10.1.1.1
Member 1 internal IP 10.1.1.2
Member 2 internal IP 10.1.1.3

Cluster synchronization - broadcast.

Host in the internal network has IP 10.1.1.10, NATed to 210.1.1.10.


When we try to access this internal host from external network, 
connected to the cluster (for example, client host has IP 210.1.1.100), 
we have a long timeout. After that timeout connection established fine.



We have investigated, that, when there's no arp record on our client 
host for IP 210.1.1.10, first arp-reply returned active cluster's member 
MAC on external interface with wrong two last bytes. The second 
arp-reply returns correct MAC.



Let's Member 1 has external MAC 14:10:12:5f:5a:11, Member 2 
12:10:0a:5f:eb:01. Member 1 is active.



The first arp-reply for 210.1.1.10 returns MAC 14:10:12:5f:8f:14, we 
have timeout, because there is no computer with such MAC. The second 
arp-reply returns 14:10:12:5f:5a:11 and connection established fine.



If Member 2 is active, then first arp-replay returns MAC 
12:10:0a:5f:8f:14, the second - 12:10:0a:5f:eb:01.



Member 2 has hme card on external net, Member 1 - bge card. 
local-mac-address?=true on both computers.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================






















					Reply via email to