Well
First of all, I should say or you use cluster xl or you use
vrrp, I think
that your problem resides there. I've never seen this
configuration and I
don't think is correct at all. Try using only vrrp. And
verify if everything
is working fine.
Best regards
lino
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AMADEUS.US.CHECKPOINT.COM]
On Behalf Of Pedro
Boavida
Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m.
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] High Availability VRRP Outgoing traffic
behavior
Hi,
I'd like some clarification regarding the following
situation:
Environment:
Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60
HFA04) using 3rd
Party VRRP High Availability and Cluster XL for the
SyncNetwork
VRRP:
VRRP Monitored Circuits using Legacy Configuration 3rd Party
Configuration
(Cluster Object) Support for non-sticky connections -
Disable Hide Cluster
Members outgoing traffic behind the Cluster IP address -
Enable Forward
Cluster Incoming traffic to Cluster Members IP address -
Enable
Problem:
Assuming this, when we initiate a connection from the active
member, if we
make a tcpdump, the connection SourceMac is the VRRP_MAC and
SourceIP is the
VIP, and in the SmartTracker we see the ip of the active
member being
Translated to the Cluster IP (VIP) by a implied rule, well
this is the
normal behavior.
If we make a connection from the Standby member we see the
connection
getting out (SYN),the SourceMac is the LocalMac and SourceIP
is the VIP from
the member, and in the SmartTracker we see the ip of
the standby member
being Translated to the Cluster IP (VIP) by a implied rule,
the connection
is unsuccessful because the SYNACK will return to the VIP
address and will
be processed by the active member and so I cannot
initiate any
connection using the standby member, well this should be the
normal behavior
also.
The problem is that, this behavior is not true on all
interfaces of the
standby member, in some interfaces the connection is
initiated with
SourceMAC=LocalMAC and SourceIP=LocaIP and in the
SmartTracker we don't see
the ip of the member being Translated to the Cluster IP
(VIP) by a implied
rule and of course with this behavior the tcp handshake is
done and the
connection is made.
Can anyone tell which behavior to expect when initiating a
connection from a
standby member of a VRRPmc configuration regarding Source
Mac address and
source IP address used by the member?
With the checkbox "Hide Cluster Members outgoing
traffic behind the
Cluster IP address" enable should not I expect the
same behavior on all
interfaces? Is there a configuration per interface?
Thanks in advance.
Pedro Boavida
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to
LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|