Also check your Spoofing settings on the interface that is always master. If it is incorrect de firewall drops the incoming VRRP packets, than IPSO thinks it should be master...
On an other front, why do you have the firewall monitoring switched off. This means that if for some reason the firewall software fails VRRP doesn't notice and you won't have traffic flowing although you have a stand-by node that is ready... If monitoring is switched on doing a cpstop on the active (VRRP master) node means the whole thing switches over to the backup node... Dion-ben Hendriks Netwerkspecialist Universitair Medisch Centrum St Radboud Servicebedrijf - Productgroep ICT Huispost 49 Route 39 Postbus 9101 Gerard van Swietenlaan 4 6500 HB Nijmegen 6525 GB Nijmegen Tel: (+31)/(0) 24 36 19330 Fax: (+31)/(0) 24 3541167 http://www.umcn.nl ===================================================================== Op dit e-mailbericht en eventuele bijbehorende attachments is een disclaimer van toepassing, die is opgenomen op onze website: http://www.umcn.nl/disclaimer. Indien u niet in staat bent deze disclaimer te raadplegen en/of op te slaan, kunt u een e-mail bericht zenden aan mailto:[email protected], waarna wij u de disclaimer zullen toezenden. ===================================================================== This e-mail and any attachments are subject to a disclaimer which is included on our website: http://www.umcn.nl/disclaimer If you are unable to retrieve and/or save this disclaimer, please send an e-mail to mailto:[email protected] and we will send you the disclaimer. ===================================================================== -----Oorspronkelijk bericht----- Van: Mailing list for discussion of Firewall-1 [mailto:[email protected]] Namens David DeSimone Verzonden: dinsdag 15 december 2009 19:09 Aan: [email protected] Onderwerp: Re: [FW-1] Nokia VRRP and Cphaprob Peter Addy <[email protected]> wrote: > > > does anyone know why my firewalls would say active active in a vrrp > > configured set up As others have said, this is because Checkpoint does not know the master/backup state of VRRP; that is managed by the OS, so Checkpoint goes active/active so that it can be ready to direct traffic if it should suddenly show up due to a VRRP event. > there is one interface which always appears to be in master when it > should be in backup This happens when the interface cannot "hear" the VRRP announcements coming from the other firewall. It will think the other master is dead, and assume master for itself. However, this sounds like an incorrect VRRP design with separate VRRP grouping for each interface. Normally all interfaces would need to be grouped together, so that if one interface fails, all of them fail together so that the other firewall takes over all traffic. > this is an interface which has two networks assigned to it, but is ok > on the master and show in master, there is two backup addresses to > this interface In older versions of IPSO, I have run into many problems trying to assign VRRP to two networks on the same interface. What I found worked best was to assign only one VRRP config and use proxy-arp with the virtual MAC to manage the secondary IP. This was much more stable. > also should cphaprob stat show active/active or active/backup. in > VRRP i can't recall You will always see cphaprob show active/active with a Nokia VRRP config. > finally an issue we have had is that all works ok, however when we > change the VRID to 3 from 1 on both firewalls , then a problem ocurrs, > so we then change the VRID back to 1 and all works fine, so i'm > thinking is this the firewall or switches or even the load balancers > we have? It sounds like you have other devices also using VRRP with router id 1; if they conflict you will create many problems. Use tcpdump on Nokia to detect what other devices are sending VRRP packets if you are not sure where they come from. -- David DeSimone == Network Admin == [email protected] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Het UMC St Radboud staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 41055629. The Radboud University Nijmegen Medical Centre is listed in the Commercial Register of the Chamber of Commerce under file number 41055629. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
