Into what kind of switch do the firewalls connect? A question for the list- if this is a spanning tree problem, will turning off spanning tree on the switch help? There is a nokia resolution that recommends turning it off for best interoperability between switch and HA pair running VRRP.
-Aaron -----Original Message----- From: Alan Yeow [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 4:38 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 As promised, updates on this topic. Based to the problem with failing back from sec to pri, and esp with ftp connx that never resumes when the connx fails back after 15 timeouts from sec to pri. Test1 If we were to plug out, external cable from FW-pri, failover happens perfectly fine with 2 timeouts with ftp resuming its connx but when we reconnect the cable back on the primary, failover occurs after 15 timeouts but FTP connx stops. Test2 This time, instead of pluggin out cables on FW-pri, we consoled in and halt the FW (to simulate as if the entire FW failed) and everything including the FTP connx failed over perfectly fine to FW-sec within 2 timeouts. We restarted the FW-pri and let it restart with all cables intact, suprisingly all connx failed BACK perfectly fine and amazingly FTP connx resumes when it failed back to FW-pri. Questions 1. Funny in that, if we were to plug out cable to test failover and failback, FTP and the response time for failing back has problems. BUT if we were to shut down and remove the fw-pri entirely and return it into the network, failover and failback has no problems at all. 2. How do we explain that? It seems as if, we were to plug out cables instead of shutting down, the FW needs to relearn MAC addresses on switches and etc..... Any ideas on this? Thanks Ay ----- Original Message ----- From: "Stephen Raymond" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 12:06 PM Subject: Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > IN my opinion this is not a problem with VRRP. In fact it is a > "function" with the switch that is connected to. See spanning tree > protocol kicks in at this stage. First failover happen almost > immediately because the MAC is in the switches CAM tables, so when one > link goes down the frames are still forwarded to the VRRP Mac. > > Now when the link comes back up spanning tree takes over and goes > through the listening, learning and forwarding states. For Cisco the > default "max root" spanning tree protocol time out is 15 seconds. > > For people unknowing of spanning tree it is an algorithm that prevents > layer 2 loops it listens, learns, blocks/forwards frames. > > So this is why I have found that when the primary VRRPed Firewalls > interface comes online that is what happens. > > Stephen > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED]] On Behalf Of Alan > Yeow > Sent: Wednesday, December 11, 2002 9:13 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > > Mell, > > This is not a cold reboot. We did a test by running FTP thru the primary > and > pulled > out the cable so that it fails over to secondary (which it did in 4 > secs) > but when we > plugged the cable back in the primary again, it took approx 20 secs to > failback from > secondary to primary and FTP stops. > > Failover from Master to Secondary - 4 secs > Failover from Secondary back to Primary - 20 secs or more > > Well we did try the cold start delay (30, 60, 120 secs) but didnt work > though. > Anyhow, we will try again. There's a resolution from Nokia on this and > we > tried it > but couldnt get it to solve the problem. > > Any other config that we shud try? > > Thank you. > Ay > > ----- Original Message ----- > From: "Mellor, Derin" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, December 10, 2002 3:23 PM > Subject: Re: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > > > > Is this a cold reboot? > > > > VRRP is fairly slow recovering, ~20s. > > > > If the Master recovers VRRP will immediately switch all session to > flow > > through the Master. This can cause problems as CP might not have > > finished installing (i.e. it has the default filter loaded, > > synchronization of connection table is not complete). > > > > The effect is that existing connections move back to the Master. Until > > the correct security policy and synchonization is loaded the packets > > will be at best dropped. Normally, once CP is full initialized and > > synchronized the sessions continue - this will cause a glitch and > > possibly dump connections. > > > > From my testing it could take ~45s for CP to initialize and > synchronize > > connection tables. To solve this problem you need to hold VRRP. In the > > VRRP configuration page configure VRRP Cold Start Delay to 60s (this > > will ensure that CP initializes and synchronizes). This effectively > > delays VRRP from starting for the specified time period. > > > > Assuming this is your issue, the recover should be sleamless. > > > > Hope this of use. > > > > Derin > > > > > > > > -----Original Message----- > > From: Alan Yeow [mailto:[EMAIL PROTECTED]] > > Sent: 09 December 2002 07:34 > > To: [EMAIL PROTECTED] > > Subject: [FW-1] VRRP - NGFP 2 and IPSO3.5fcs10 > > > > > > Hello all, > > > > Anyone experienced problems when secondary fails back to primary fw? > > > > Problem is, it takes 15-30 seconds to failback from secondary to > > primary. Secondly, after failing back from secondary to primary, > > existing FTP connections never continues. > > > > > > Here's a brief scenario on what's going on > > ================================================= > > 1. VRRP alone on Nokia is working fine. > > 2. Primary fails over to secondary is working fine. > > - Primary is able to fail to secondary within 2-4 timeouts > > - Ping continues with only 2-4 timeouts > > - FTP stops for fraction of time and its able to continue > > > > BUT > > > > 3. When failing back from secondary to primary it takes approx > > 15 - 30 request timeouts. > > - Ping session stops with 15-30 timeouts before replies comes in > > - FTP stops and never resumes connection even after the ping > > replies. > > (that means users will need to reconnect and download again) > > > > > > Any ideas or solutions to this? > > > > Thanks > > Alan > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > <FONT > SIZE=1>***************************************************************** > **** > * > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the sender immediately and then delete from your system. > > > > This footnote also confirms that this email message has been swept > > for the presence of known computer viruses. > > > > > **********************************************************************</ > FONT > > > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
