This does not make sense - but could be an IPSO3.6 issue.
On IPSO3.5 and prior it works as follows.
Packets originating from the firewall should use:
source IP = Firewall physical IP
source MAC = Firewall physical MAC addresses (not the virtual).
Packets forwarded through the firewall should use:
source IP = Original Source IP
source MAC = Firewall physical MAC addresses (not the virtual).
Packet destined to the firewall should use:
destination IP = Firewall physical IP
destination MAC = Firewall physical MAC addresses (not the virtual).
Packets destined to device through firewall should use:
destination IP = Ultimate Destination IP
destination MAC = Firewall VRRP MAC address.
The firewall should not source connections using the Virtual IP address. However, by
Enabling 'Accept Connections to VRRP IPs' should allow connection to be established
direct to the virtual IP are - hence responses will come from this IP address.
I don't like IPSO3.6: when I tested it, it did not pass IP multicast packets (i.e.
VRRP) to CP. This meant the VRRP converged, but CP had no knowledge of it. This scared
me as what else might be going through un-noticed!!!
Derin
-----Original Message-----
From: nicolas figaro [mailto:[EMAIL PROTECTED]]
Sent: 07 January 2003 17:16
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] FP3 + nokia vrrp problem
Mellor, Derin a �crit:
>It sounds like your running VRRPv2 rather than VRRP/MonitoredCircuits,
>is this the case?
>
>
all interfaces use monitored circuits.
Nicolas Figaro
>Derin
>
>-----Original Message-----
>From: nicolas figaro [mailto:[EMAIL PROTECTED]]
>Sent: 07 January 2003 15:44
>To: [EMAIL PROTECTED]
>Subject: [FW-1] FP3 + nokia vrrp problem
>
>
>hello,
>
>I configured two nokias with ipso 3.6 FCS 4 and CP FW1 NG FP3 in a
>checkpoint cluster. the nokias use vrrp for high availability (no load
>sharing).
>
>but if I try to send a connection from the backup, the packet is sent
>with the vrrp address. I still can reach the backup (ping, ssh works
>perfectly), but I can't initiate any connection from the module ( I
>need to initiate some supervision connections).
>
>If i perform a ftp unloadlocal, the backup can initiate connection, but
>it's not a good solution.
>
>any idea ???
>
>thanks
>
>nicolas figaro
>cdcixis capital markets
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>
><FONT
>SIZE=1>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the sender immediately and then delete from your system.
>
>This footnote also confirms that this email message has been swept for
>the presence of known computer viruses.
>
>**********************************************************************<
>/FONT>
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
<FONT SIZE=1>**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
**********************************************************************</FONT>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
