IPSO clustering issue

Hello,

We have an issue with two IP1220 boxes running IPSO 4.2 and
Check Point NGX
R62 over them. The idea is to use them as a cluster
configured with IPSO
Clustering, but so far this has not been possible.

With an SMC on a separate machine (obviously) a single
IP1220 works as
firewall module with no problems at all, but when the second
box comes into
the scenario, things start to turn complicated. Clustering
seems to work ok
at the IPSO level, as at Voyager is possible to see the
state of the boxes
and some tests done showed how bringing down one of the
boxes showed the
other as the only active, but when the CP policy is
installed to make them
become a firewall cluster a lot of problems come up. Some
times an interface
of the Nokias reports as failing (is not the same interface
always), some
times SIC fails and is not possible to install policy
changes (most likely
related with the previous described issue), outbound traffic
through the
cluster turns extremely slow, inbound traffic to public
servers located on a
DMZ stops completely and SV Tracker does not show anything
that could lead
to think it is a policy rules issue (anyway the same policy
on a single
gateway works perfect).

Has anybody seen issues like this before?

-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Sat, 31 Mar 2007, Sergio Alvarez wrote:

> We have an issue with two IP1220 boxes running IPSO 4.2
and Check Point NGX
> R62 over them. The idea is to use them as a cluster
configured with IPSO
> Clustering, but so far this has not been possible.

There is load of issues you must check:
  - cpconfig setting for clustering
  - cplic print to check you got the right license
  - IP config of the cluster and it's members
  - Proper object definitions (incl. antispoofing ....)

Most definitly check out recent items regarding the exact
build of your 
IPSO version. There are a number of issues with recent IPSO
versions just 
covered lately in new builds. (It did impact VRRP so the
clustering mode 
might suffer as well.)

Hugo.

-- 
 	hvdkooijvanderkooij.org	http://hugo.vanderkooij.
org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say
"Windows"
 	I use computers with Linux and say "Why
Windows?"
 		(Thanks JFK, for the insight.)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================