I have a pair of Nokia's running IPSO 3.5 and NG FP2 with VRRPmc and state sync. I have some queries/problems:
Traffic initiated from the external interface on the secondary firewall (eg dns, ntp) goes out fine but the reply traffic is picked up by the external interface (the real ip not the VRRP ip) on the primary firewall and dropped. I don't understand why this is happening. During a VRRP failover (by me pulling out one of the monitored interface cables or halting the primary firewall) I get weird results from checkpoint. ifconfig and vrrp monitor shows the secondary has taken over the external/internal/dmz VRRP addresses fine. And I can connect directly to the firewall vrrp address ok (eg by ssh, and see that I am really connecting to the secondary as expected). I'm using proxy arps on the external interface (I know, yuk) and static NAT to the DMZ servers. Static routes are defined for the proxy arps on both firewalls. I have some traffic from the internal network allowed out that I am hide NATing behind the external VRRP ip. I have turned off the auto arp feature in NG in case it was messing things up - even though I'm not doing any NAT with a firewall object in the NAT policy. The external and dmz interfaces are connected to separate hubs, the internal interfaces are connected to a 3Com switch. If I pull out the DMZ interface on the primary, failover is fine, the internal network traffic that goes out and is NATed behind the external VRRP address keeps working but nothing in the DMZ can talk to the outside. And vice-versa if I pull out the internal interface to initiate failover - DMZ works but internal net stops. Reconnecting the appropriate interface flips the VRRP ips back over to the primary and everything works again. During cpstart I get told "HA mode is not defined" "fw ctl pstat" shows state sync is working ok so I assume this is to do with load-balancing and is normal for a state sync config? Thanks Mike ###################################################################### CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by EMS-Global Limited. ###################################################################### ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
