Re: [FW1] Does CP HA module work with Cisco Catalyst 65xxswitch ?

Tue, 11 Jul 2000 14:34:39 -0700 


Justin,

Look into spanning tree issues or the table that
holds MAC addresses(doubtful). Spanning tree
has a slow convergence time(~30seconds+).

There is a way to tell the switch to ignore the
duplicate MAC address if I'm not mistaken, but
I don't have that handy.

If I find any more info(check www.cisco.com), 
I'll post. If you solve, let the list know.

Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> <[EMAIL PROTECTED]> 7/3/00 11:22:28 AM >>>
>
>Hi Everyone,
>
>Has anyone here evaluated the Check Point 4.1 High Availability Module with
>Cisco Catalyst 65xx switch ?
>
>CheckPoint Firewall Module v. 4.1   x2
>CheckPoint Management Console v 4.1 x1
>CheckPoint HA Module x1
>
>We have installed all above components successfully.  The failover has been
>tested OK. (by shutdown the Firewall Service or unplug network interface).
>
>However, we face a intermittant unstable problem that internal packets
>cannot reach the firewall.  We use a PC in internal LAN to ping a server in
>external Zone continuously (ping -t).  For every five to ten minutes time,
>the ping test will fail (timeout) for ten to twenty seconds, then back to
>normal.
>
>
>1.  There are no Firewall Failover before or during the timeout period
>2.  There are no icmp packet reject/drop records in the Firewall Log
>NOT occur.
>
>The HA module share the same MAC address for its external and internal
>interface.
>As I was told, most smart switches will "remember" for a given MAC address
>the
>slot the traffic should go through, to move traffics/packets faster,
>thus the switches will refresh its MAC address table periodically.
>The reason you get the time outs is because the switch is rebuilding
>it's MAC address table.
>
>Can anyone verify the explanation ?
>
>If I can configure the Catalyst 65xx switch to allow the same MAC address
>packet to
>go to two ports, is it possible to solve the problem ?
>
>Does 'set cam' help to solve the problem ?
>
>Could any Cisco tech guys give me a hand on this, please ?
>
>Thanks.
>Justin.
>
>Systems Engineer (CCSA, CCSE)
>Westcon Asia Ltd.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to