[gb-users] Firewall go into a flap

Wed, 10 Apr 2002 05:48:34 -0700 

We have a redundant pair of GB1000s
 
Yesterday the firewalls started "going mad" to use a coloquialism....
 
See quote from our primary admin
 
 
What I think happens is:
You start a config sync from master to slave.
Somehow that sync fails.
(I think) The slave doesn't get a complete config.
Therefore doesn't get the full family of remote access rules to allow the
UDP/77 stuff - which I think is heartbeat type messaging.
 
Point is - I don't care that they get out of sync - but I don't want the
buggers doing this:-
 
10.200.0.5/8] fxp2 l=80 f=0x0
Apr  9 14:00:32 prodfrontkit FILTER: RAF (default) block - ICMP
[10.200.0.6/8]->
[10.200.0.5/8] fxp2 l=80 f=0x0
Apr  9 14:00:32 prodfrontkit FILTER: RAF (default) block - ICMP
[172.17.6.3/8]->
[172.17.6.2/8] fxp1 l=80 f=0x0
Apr  9 14:00:32 prodfrontkit FILTER: RAF (default) block - ICMP
[172.17.6.3/8]->
[172.17.6.2/8] fxp1 l=80 f=0x0
Apr  9 14:00:32 prodfrontkit FILTER: RAF (default) block - ICMP
[172.17.6.3/8]->
[172.17.6.2/8] fxp1 l=80 f=0x0
Apr  9 14:00:32 prodfrontkit FILTER: RAF (default) block - ICMP
[172.17.6.3/8]->
 
and then this:-
 
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[172.17.2.6/1031]
->[224.0.0.18/77] mcast fxp0 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[194.6.2.166/1032
]->[224.0.0.18/77] mcast fxp3 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[172.17.6.3/1034]
->[224.0.0.18/77] mcast fxp1 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[10.200.0.6/1035]
->[224.0.0.18/77] mcast fxp2 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[172.17.7.3/1033]
->[224.0.0.18/77] mcast dc0 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[172.17.2.6/1031]
->[224.0.0.18/77] mcast fxp0 l=49
Apr  9 14:00:35 prodfrontkit FILTER: RAF (default) block - UDP
[194.6.2.166/1032
]->[224.0.0.18/77] mcast fxp3 l=49
 
And getting so overly busy that they can't handle any other traffic... Has
this been fixed anywhere, or does anyone have any suggestions to mitigate
the problem

Ben Tyson-Norrman 
DTV IT Manager

Land Line: 0208 433 6160 
Mobile: 07976 230429 

Kasta kottar pa en �lg och du kan fa en gran I huvudet

Reply via email to