"non eval licenses"? What are you talking about?
The 30 eval license is good
and it has all the features I need to test. I have other
provder-1 NG R61 with
HFA_03 using the same license I do not have this issue.
Furthermore, I am
not seeing this issue in enforcement modules 2.4 kernel.
can't be the license.
the Provider-1 and the CMA are residing on the SAME network
as the
enforcement module. There is NO routing issue. You can
rule this out as a
possible cause.
It seems like other are experiencing the same issue I have
with managing
2.6 kernel splat enforcement modules from a SmartCenter or
Provider-1 2.4 kernel.
Eric Janz <e.janz BARCELOVIAJES.COM> wrote: Hi,
First I would recommend you to setup non eval licenses, this
can be a good
reason for your strange behaviour.
Related with the SIC issue, we have the following setup:
- 2 node NGX R65 Cluster ( Forwarding Mode / Static work
assignment ) with
public IP addresses as the main ip's
- Smartcenter NGX R65 in a management network with default
gateway set to
the clusters ip address in the management network.
We also have problems with the sic establishment and/or
maintenance if we
let this setup without specific routes to the external
gateways ip through
the gateways ip in the management network.
We solve this issue setting up two routes on the Smartcenter
server so
that traffic to the external ip of each gateway gets routed
through the
same gateway.
Example:
Cluster
External IP 1.1.1.1 ( configured as cluster main ip
in the
smartcenter cluster setup )
Internal IP 10.10.10.1
Node 1
External IP 1.1.1.2 ( configured as node 1 main ip
in the
smartcenter cluster setup )
Internal IP 10.10.10.2
Node 2
External IP 1.1.1.3 ( configured as node 2 main ip
in the
smartcenter cluster setup )
Internal IP 10.10.10.3
Smartcenter in internal network:
IP: 10.10.10.4
Default Gateway: 10.10.10.1
Route 1.1.1.2 via 10.10.10.2
Route 1.1.1.3 via 10.10.10.3
I always must set it up this way if I dont want to have
problems with the
communication between the Smartcenter and the Enforcement
modules but I
can not explain why it is this way, I think it is related to
local
interface address spoofing. ¿ Does somebody else have this
same setup
and/or behaviour ? ¿ Is this normal or I am missing
something ?
PS: I just remembered another case related with SIC problems
and it was
due to that localhost was not defined locally on the
gateways in the
/etc/hosts file ¿?
Regards !
Eric Janz
cisco4ng
Enviado por: Mailing list for discussion of Firewall-1
16/05/2008 14:25
Por favor, responda a
Mailing list for discussion of Firewall-1
Para
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc
Asunto
[FW-1] Checkpoint SIC trouble. Urgent help please!!!!
Have a situation:
a pair of IBM 3650 dual quad-core processors 3.16 Ghz with
4GB RAM
running in ClusterXL Active/Active Unicast mode. The
Checkpoint
software is NGx R65 2.6 kernel
This firewall pair is being managed by Provider-1 NGx R65
2.4 kernel
with HFA_02 running on a Dell 2850 dual processors 3.06 Ghz
with 8GB RAM.
Logs on the firewalls are being sent to a Provider-1 MLM
and a standalone
CLM.
Provider-1 is NGx R65 with HFA_02 on 2.4 kernel. The
stand-alone CLM
is NGx R65 2.6 kernel on a Dell 2950-III box.
Everything is running checkpoint 30 days eval license.
I have about 300 rules in the security policy. I pushed
policy to the
pair of firewalls. Everything is working fine and I get no
errors when
pushing policy to the firewall
I have a couple of QoS rule in the QoS policy. I see NO
errors when
pushing policy to the firewalls.
At this point I start pushing about 900Mbps between the
Iperf
client/server
through the firewall.
Here are two issues I have:
1- In SmartView Monitor, it tells me that I hav NO QoS
policy installed
on gw1 and gw2,
2- After every two hours, I lose SIC either to the gw1 or
gw2 firewall.
I verified this by performing "test SIC" in the
cluster members. When
I pushed policy to the firewall, it tells me that policy
push failed
either to gw1 or gw2 member. The only way for me to fix is
to re-SIC
and reboot the firewall and re-establish SIC with the
Provider-1 CMA.
Is this a bug in Checkpoint or something? My setup is a
very simple one.
Comment anyone? Thanks.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
--
ADVERTENCIA LEGAL
El contenido de este correo es confidencial y dirigido
unicamente a su destinatario. Para acceder a su clausula de
privacidad consulte http://www.barce
loviajes.com/privacy
LEGAL ADVISORY
This message is confidential and intended only for the
person or entity to which it is addressed. In order to read
its privacy policy consult it at http://www.barce
loviajes.com/privacy
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
