----- Original Message -----
From: "Matthew Clements" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 29, 2000 10:50 AM
Subject: [FW1] GW Cluster Funnies - different behaviour from members
>
> Hi,
>
> I have a strange problem with a Gateway Cluster made from two Nokia IP650s
> running IPSO 3.2.1 and FW-1 version 4.1 SP1 DES.
Are you literally using a Gateway Cluster object in FireWall-1 4.1 SP1?
> There are 2 VIPs
> configured for the internal network, one ordinarily residing on each box.
Therefore, each platform is normally a master for a VIP while the peer is a
backup
for that VIP?
> Some internal browsers are set to proxy at one VIP for http, others at the
> other (to load balance outbound http).
>
> The management server downloads a seemingly identical security policy to
the
> IP650s which are members of the gateway cluster. (The conf directory has
> files that are the same date / length etc.)
>
> I'm using User Authentication for outbound http (no resources etc, just
> source-user@internal destination-any protocol-http action-userauth).
>
> Browsers proxying at one VIP get authenticated and everything works fine.
> When proxying at the other VIP, FW-1 comes back with fw-1 at machine
access
> denied without even prompting for authentication.
>
> Network traces indicate that the module that isn't working queries DNS to
> resolve the requested hostname, receives a valid reply then sends the
denied
> message back to the browser.
>
> I don't understand how this can be happening given that the same security
> policy is supposedly installed on both of the modules.
>
> Other services work fine through the weirdly behaving machine. It's only
> when the http security server gets involved that the weirdness begins.
>
> Any Ideas?
>
I agree - sounds wierd. What if you were to fail the funky machine so that
the other platform was to then take on both VIPs? Would the failing HTTP
connections
then make it through this one platform?
If this works, then I would first review the workstation properties for the
funky firewall.
Perhaps there is a differance in the definition that you might notice in
another pass.
If there is no anamoly in the workstation properties for this firewall,
then check Host Address Assignment in Network Voyager on this failing
firewall and
make sure that the SYSTEM NAME is associated with the IP Address you have
specified in the workstation properties window on the General frame.
Shooting in the dark,
Jerald Josephs
> Matt
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
