Hi Everyone,
Has anyone here evaluated the Check Point 4.1 High Availability Module with
Cisco Catalyst 65xx switch ?
CheckPoint Firewall Module v. 4.1 x2
CheckPoint Management Console v 4.1 x1
CheckPoint HA Module x1
We have installed all above components successfully. The failover has been
tested OK. (by shutdown the Firewall Service or unplug network interface).
However, we face a intermittant unstable problem that internal packets
cannot reach the firewall. We use a PC in internal LAN to ping a server in
external Zone continuously (ping -t). For every five to ten minutes time,
the ping test will fail (timeout) for ten to twenty seconds, then back to
normal.
1. There are no Firewall Failover before or during the timeout period
2. There are no icmp packet reject/drop records in the Firewall Log
NOT occur.
The HA module share the same MAC address for its external and internal
interface.
As I was told, most smart switches will "remember" for a given MAC address
the
slot the traffic should go through, to move traffics/packets faster,
thus the switches will refresh its MAC address table periodically.
The reason you get the time outs is because the switch is rebuilding
it's MAC address table.
Can anyone verify the explanation ?
If I can configure the Catalyst 65xx switch to allow the same MAC address
packet to
go to two ports, is it possible to solve the problem ?
Does 'set cam' help to solve the problem ?
Could any Cisco tech guys give me a hand on this, please ?
Thanks.
Justin.
Systems Engineer (CCSA, CCSE)
Westcon Asia Ltd.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
