Hello, Yesterday I visited a customer who wanted to deploy ISP Redundancy with his VPN-1 HA pair. He has two firewall modules running R65 SPLAT 2.6, which are managed by a SmartCenter running R65 SPLAT 2.4 HFA30.
He wanted to make sure of all the changes that would be required and also do some testing, so I first installed a stand alone firewall on a lab machine, made the entire configuration and everything worked perfect. Later, out of business hours, we started working on the production machines, I made the entire configuration for the cluster and evertyhing worked fine with the outbound traffic, as the cluster started balancing the connections properly between the 2 IPSs, but the inbound traffic did not work. The manua NAT rules work fine, it is in fact possible to send traffic to servers on the DMZ via public IPs of both ISPs, but the DNS Proxy doesn't work at all, I checked the configuration again and again and everything looks fine, but the cluster just won't answer to any DNS queries sent to it. I checked the SmartView Tracker and saw all the DNS requests arriving to the cluster public IPs from the outside and everything appears accepted. I'm sure many of you are thinking if I got fw monitor captures to see what exactly happens after the cluster accepts the incomming requests... well, I did get fw monitor and tcpdump captures but it is a real pain to find a way to get those out of the firewall module locally on my customer's network and by the time I got them it was already 4am, so I uploaded those directly to Check Point Support's FTP, who asked for them, and I'm expecting for the customer to upload them to an FTP I just brought up, so I can check them out, but in the mean time I wanted to know if any of you guys has seen anything like this before. Thanks in advance for any help you could provide. Regards -- Sergio Alvarez +(506)88301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
