Hi,
I'd like some clarification regarding the following
situation:
Environment:
Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60
HFA04) using 3rd Party VRRP High Availability and Cluster XL
for the SyncNetwork
VRRP:
VRRP Monitored Circuits using Legacy Configuration
3rd Party Configuration (Cluster Object)
Support for non-sticky connections - Disable
Hide Cluster Members outgoing traffic behind the Cluster IP
address - Enable
Forward Cluster Incoming traffic to Cluster Members IP
address - Enable
Problem:
Assuming this, when we initiate a connection from the active
member, if we make a tcpdump, the connection SourceMac is
the VRRP_MAC and SourceIP is the VIP, and in the
SmartTracker we see the ip of the active member being
Translated to the Cluster IP (VIP) by a implied rule, well
this is the normal behavior.
If we make a connection from the Standby member we see the
connection getting out (SYN),the SourceMac is the LocalMac
and SourceIP is the VIP from the member, and in the
SmartTracker we see the ip of the standby member being
Translated to the Cluster IP (VIP) by a implied rule, the
connection is unsuccessful because the SYNACK will return to
the VIP address and will be processed by the active member
and so I cannot initiate any connection using the standby
member, well this should be the normal behavior also.
The problem is that, this behavior is not true on all
interfaces of the standby member, in some interfaces the
connection is initiated with SourceMAC=LocalMAC and
SourceIP=LocaIP and in the SmartTracker we don't see the ip
of the member being Translated to the Cluster IP (VIP) by a
implied rule and of course with this behavior the tcp
handshake is done and the connection is made.
Can anyone tell which behavior to expect when initiating a
connection from a standby member of a VRRPmc configuration
regarding Source Mac address and source IP address used by
the member?
With the checkbox "Hide Cluster Members outgoing
traffic behind the Cluster IP address" enable should
not I expect the same behavior on all interfaces? Is there a
configuration per interface?
Thanks in advance.
Pedro Boavida
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|