several VRRP clusters on the same VLAN or Switch

Hi,

I am setting up a lab with 2 Nokia in VRRP in Master/Backup
mode with 4
interfaces and 1 for the synchro. I connected all the
interfaces without the
synchro one to the same switch but on different VLANs.

Everything worked fine for my lab but after a reboot of the
switch the
configuration was erased and all the VLANs disappeared and I
started to see
some strange behaviour.
I saw some drops on the Firewall and specially on VRRP
multicast address. I
was first thinking that this was normal due to the missing
of the VLANs. But
all my VRIDs (for a member) are different for all the
interfaces. So all the
VMAC are also different.

After reviewing the drops I saw that the message was a
spoofing error from
the firewalls to the multicast address.

I try to make a tcpdump on all my interfaces to 224.0.0.18
and I clearly saw
all the traffic go through it. And I try to see if there is
a problem on the
failover configuration and the Cluster still work fine.

So I try to delete the cluster object and separate each
member only on the
Checkpoint configuration the Nokia cluster was still
available. I did not
perform antispoofing and I put a rule with any any accept. I
still have the
drop on the multicast address and the Nokia cluster was OK.

I checked that it is not recommended to have several
clusters on the same
VLAN or Switch but there is a workaround but only for the
ClusterXL
configuraton and not on Nokia VRRP.

Thus I do not understand this behaviour.


Does anybody have any explanation?


BR

K

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Wed, Feb 27, 2008 at 11:00 PM, kazeka sho
<kazeka82gmail.com> wrote:
> Hi,
>
> I checked that it is not recommended to have several
clusters on the same
> VLAN or Switch but there is a workaround but only for
the ClusterXL
> configuraton and not on Nokia VRRP.

Hello Kazeka,

Even if you are using VRRP MC on your Nokia cluster, the
firewall
state table is still synched with ClusterXL.

So, if both cluster's state synchronization network are
connected on
the same vlan you have to proceed this way.
On both member of only one cluster insert in the file
$FWDIR/boot/modules/fwkern.conf the following var:

fwha_mac_magic=0xfe
fwha_mac_forward_magic=0xfd

Concerning Checkpoint config you have to add a rule for vrrp
such as
this (above the stealth rule):

fwcluster-object     224.0.0.18      vrrp, igmp    accept


Sidney

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thanks for your answer.

In fact,

It is not a problem with the synchro network because there
is only one
synchro network directly linked with a cross cable to both
of the members,
but with the drop from my firewall to the multicast
address.
I only have one cluster with two Nokias but all my
interfaces are connected
to the same switch with no VLAN.
I put a rule with any any accept, disabled the antispoofing
and I still have
the same drops saying there is an antispoofing error.
I also separate the cluster to see if the problem is the
same.
If I unloaded the policy, everything is OK.

I would like to know why Checkpoint said there is an
antispoofing problem
since all my IP addresses are different but also my VRIDs
and thus my VMACs.

In Network design, I do not see the problem (evenif it is
not a good design
and I should separate this with VLAN).
But in security design what is the problem?

BR,

K


2008/2/28, Sidney Boumendil <sidney.boumendilgmail.com>:
>
> On Wed, Feb 27, 2008 at 11:00 PM, kazeka sho
<kazeka82gmail.com> wrote:
> > Hi,
>
> >
> > I checked that it is not recommended to have
several clusters on the
> same
> > VLAN or Switch but there is a workaround but only
for the ClusterXL
> > configuraton and not on Nokia VRRP.
>
>
> Hello Kazeka,
>
> Even if you are using VRRP MC on your Nokia cluster,
the firewall
> state table is still synched with ClusterXL.
>
> So, if both cluster's state synchronization network are
connected on
> the same vlan you have to proceed this way.
> On both member of only one cluster insert in the file
> $FWDIR/boot/modules/fwkern.conf the following var:
>
> fwha_mac_magic=0xfe
> fwha_mac_forward_magic=0xfd
>
> Concerning Checkpoint config you have to add a rule for
vrrp such as
> this (above the stealth rule):
>
> fwcluster-object     224.0.0.18      vrrp, igmp   
accept
>
>
> Sidney
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

kazeka sho <kazeka82GMAIL.COM> wrote:
>
> I would like to know why Checkpoint said there is an
antispoofing problem
> since all my IP addresses are different but also my
VRIDs and thus my VMACs.

It could be as simple as when your system sends out a VRRP
packet on
each interface, the source IP on the packet is the IP of the
particular
interface.  Since VRRP is multicast, that packet then gets
received on
another interface, and the firewall believes that someone on
the network
is spoofing its own IP (on a different interface).

Examine your logs and see if the spoof check is happening
inbound, or
outbound, and which interface it occurs on.  I think you
will find that
you will get a complaint from inbound multicast packets on
each
interface that does not have that particular IP on it, so
the effect
will be multipled by the number of interfaces you have.

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHxwIeFSrKRjX5eCoRAkaMAKCmpGRo8qUmaFzvDCTbIfKQTXox9wCe
JxDQ
bNHRxEhd3o02+kxppgzZMic=
=ABMd
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hello,

You're right. I checked my logs and made a tcpdump on my
network interfaces
and see what you described.

Regards,

K

2008/2/28, David DeSimone <foxverio.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> kazeka sho <kazeka82GMAIL.COM> wrote:
> >
> > I would like to know why Checkpoint said there is
an antispoofing
> problem
> > since all my IP addresses are different but also
my VRIDs and thus my
> VMACs.
>
>
> It could be as simple as when your system sends out a
VRRP packet on
> each interface, the source IP on the packet is the IP
of the particular
> interface.  Since VRRP is multicast, that packet then
gets received on
> another interface, and the firewall believes that
someone on the network
> is spoofing its own IP (on a different interface).
>
> Examine your logs and see if the spoof check is
happening inbound, or
> outbound, and which interface it occurs on.  I think
you will find that
> you will get a complaint from inbound multicast packets
on each
> interface that does not have that particular IP on it,
so the effect
> will be multipled by the number of interfaces you
have.
>
> - --
> David DeSimone == Network Admin == foxverio.net
> "This email message is intended for the use of the
person to whom
>   it has been sent, and may contain information that is
confidential
>   or legally protected.  If you are not the intended
recipient or have
>   received this message in error, you are not
authorized to copy, dis-
>   tribute, or otherwise use this message or its
attachments.  Please
>   notify the sender immediately by return e-mail and
permanently delete
>   this message and any attachments.  Verio, Inc. makes
no warranty that
>   this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
>
iD8DBQFHxwIeFSrKRjX5eCoRAkaMAKCmpGRo8qUmaFzvDCTbIfKQTXox9wCe
JxDQ
> bNHRxEhd3o02+kxppgzZMic=
> =ABMd
> -----END PGP SIGNATURE-----
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================