all, assymetrical routing problem caused by vrrp state fluctuation seems to be fixed by removing the old vrrpid and creating new vrrp id.
maybe i should upgrade the current ipso to 3.3?? i'm running 3.2.1 anyone has the release notes on 3.3?? i do have both images on my nokia box, but when i chose the 3.3 and rebooted the box, firewall failed to start. it's been a while and forgot how to do the IPSO upgrade. help please?? Mike Mike Lee wrote: > I'll try to put both outside interfaces to a same switch and see if the > problem still exists. > > > > it would suck not to enable trunking. > > > > mike > > ----- Original Message ----- > > From: BillO <mailto:[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > Sent: Monday, May 13, 2002 12:26 PM > > Subject: Re: [FW-1] backup interface wouldn't keep quite. > > > I have seen various problems with the Cisco switches and > vrrp/monitored circuit before. You might want to check the Nokia > page,but I believe there was a setting like > > > > set port channel "port list" off > > > > this alleviated some issues related to how long convergence took. > > > > one other thing i can think of is if you are using the same router > id for more than one nokia interface and using the same switches "on > different vlans" you may have a mac related problem where the switch > is getting confused on where to send the packet and either dropping > it or sending it to the wrong interface. > > > > you could also look at the vrrp statistics for the various > interfaces in question and see if you are clocking errors. maybe > some of the vrrp packets are getting mangled when they are sent or > in transit and this happens enough that the backup occasionally > misses enough packets and will switch to master. > > ----- Original Message ----- > > From: Mike Lee <mailto:[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > Sent: Monday, May 13, 2002 5:13 AM > > Subject: [FW-1] backup interface wouldn't keep quite. > > > Hi, > > > > Firewall 4.1, Nokia 440, IPSO 3.2.1-fcs1, running VRRP on > outside, inside, dmz interfaces. > > > > Symptom: Regularly, the backup firewall's outside > interface changes its state to Master, even though Primary is > functioning fine. Causing slowness in Internet Access. > > > > What i find from TCPDUMP is that primary sends VRRP multicast > message out every 1 second. What's odd is that every once in a > while, i see Backup sends out one VRRP message. This causes > significant delay in our Internet Access. > > > > At the firewall side, VRRP config looks identical to the Nokia's > document on how to setup one. I do have policies to allow vrrp > traffics. > > > > All the interfaces go to pair of Cisco 4000 switches with > various VLANS. First 2 ports of the switches are configured > with VLAN trunking. > > > > Originally, firewall's inside and dmz interfaces were connected > to Cisco4000 switch with its own VLAN. Outside interfaces of > the firewall were originally connected to Cisco2900 before and > we moved them to Cisco4000 switch with its own VLAN. > > > > First I thought it was the switch's VLAN trunking config, but I > doubt it is that. If it was the VLAN trunk issue, then i would > see the same behavior with inside and dmz interfaces too... > > > > > > any thoughts?? > > > > thanks, > > > > Mike > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
