> > I have a strange problem with a Gateway Cluster made from two Nokia
>IP650s
> > running IPSO 3.2.1 and FW-1 version 4.1 SP1 DES.
>
>Are you literally using a Gateway Cluster object in FireWall-1 4.1 SP1?
Yes
> > There are 2 VIPs
> > configured for the internal network, one ordinarily residing on each
>box.
>
>Therefore, each platform is normally a master for a VIP while the peer is a
>backup
>for that VIP?
>
Yes
> > When proxying at the other VIP, FW-1 comes back with fw-1 at machine
>access
> > denied without even prompting for authentication.
> >
> > Network traces indicate that the module that isn't working queries DNS
>to
> > resolve the requested hostname, receives a valid reply then sends the
>denied
> > message back to the browser.
> >
> > I don't understand how this can be happening given that the same
>security
> > policy is supposedly installed on both of the modules.
> >
> > Other services work fine through the weirdly behaving machine. It's
>only
> > when the http security server gets involved that the weirdness begins.
> >
> > Any Ideas?
> >
>I agree - sounds wierd. What if you were to fail the funky machine so that
>the other platform was to then take on both VIPs? Would the failing HTTP
>connections
>then make it through this one platform?
>
This doesn't work.
>If there is no anamoly in the workstation properties for this firewall,
>then check Host Address Assignment in Network Voyager on this failing
>firewall and
>make sure that the SYSTEM NAME is associated with the IP Address you have
>specified in the workstation properties window on the General frame.
I don't know why this resolved the problem, maybe I found an Easter Egg :)
The machines host names were firewall-1.mydomain and
firewall-2.mydomain. firewall-2 was working and firewall-1 wasn't! - I
changed them to more obscure names and everything started to work. So the
moral of the story is not to call your firewall firewall-1!
Thanks
Matt
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
