Here's some additional information to Shawn's post:
If you are running an unsupported configuration like "Stonebeat HA 3.1.6 & FW-1
NG FP3" (CKP does not support this config; Stonesoft does) you will never get the
Sync working if you put some IP's into the Topology Tab of the Cluster Object.
- Usually, you just don't need that tab at all. Don't use it.
Yepp!
I'm wondering how many such unsupported configs are out there... and how long they
will be...
/Markus
At 12:42 08.01.2003 -0500, you wrote:
Nicolas,
glad it helped. This is an answer we got from CP when we asked them. As I
read that, it means:
- Never put the external IP in
- Usually, you just don't need that tab at all. Don't use it.
- HF1 improves the functionality, FP4 will further. This might be useful for
directing VPNs out different interfaces, but I never actually tried this.
So, inna nutshell: Just don't use the cluster topology tab.
-- Quote --
In all third party solutions except IPSO (Nokia cluster) it is not allowed
to add cluster IPs in the topology tab. In IPSO, it is possible to add
internal cluster IPs to the topology tab when there is a need to communicate
with one of the internal cluster IPs. For example, if
you wish to use secure remote to download topology from the internal cluster
IP. Otherwise, and in the common case, it is not necessary to add anything
to the topology tab.
Until FP3 it was not possible to add cluster IPs to third party solutions
because the topology tab did not exist. Since FP3 adding cluster IPs will
also implement a cluster hide behind that IP. For some features (such as
VPN) cluster hide requires forwarding which is partially implemented (IKE
only) since FP3 and fully implemented from FP3 Hot Fix 1. Console messages
in the form of "delete: can't locate <ip address>" might appear on the
console and can be safely ignored. We will handle this issue for FP4. Also,
from FP4, there is a new option to disable the cluster hide mechanism in
third party solutions. This option is controllable from the smart dashboard.
-- End Quote --
> -----Original Message-----
> From: nicolas figaro [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 08, 2003 10:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [FW-1] FP3 + nokia vrrp problem
>
>
> Shawn Behrens a �crit:
>
> > I configured two nokias with ipso 3.6 FCS 4 and CP FW1 NG FP3 in a
> > checkpoint cluster. the nokias use vrrp for high
> availability (no load
> > sharing).
> >
> > but if I try to send a connection from the backup, the
> packet is sent
> > with the vrrp address. I still can reach the backup (ping, ssh works
> > perfectly), but I can't initiate any connection from the
> > module ( I need
> > to initiate some supervision connections)
>
>
> >We had this problem when we defined the VRRP IPs in the
> Cluster topology. If
> >the cluster topology (NOT member topology, cluster topology)
> is left empty,
> >it worked for us.
> >
> >Do you have your VRRP IPs defined in the Cluster topology?
> If so, take them
> >out and try again.
> >
> >Shawn
> >
> >
> >
> simply amazing.
> it works.
> next question : what's the interest of defining a cluster topology ??
>
> thanks a lot for your answer Shawn.
>
> Nicolas Figaro
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
>
>
Please note that:
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.
http://www.activis.com
This annotation was added by the e-scan service.
http://www.activis.com
----------------------------------------------------------------------------------
This message has been checked for all known viruses by e:)scan.
For further information please contact [EMAIL PROTECTED]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
Markus Hofbauer, IT-Service / Security
Bacher Systems EDV GmbH, Wienerbergstr. 11B, A-1101 Wien, Austria
phone: +43 (1) 60 126-34 | fax: +43 (1) 60 126-4
e-mail: [EMAIL PROTECTED] | web: www.bacher.at
