Thread: Nokia IPSO cluster only support Checkpoint Load Sharing?
View Single Post
  #4 (permalink)  
Old 2006-08-21
northlandboy northlandboy is offline
Senior Member
  
Join Date: 2006-07-28
Location: New Zealand
Posts: 862
Rep Power: 3
northlandboy has an average reputation (10+)
Default Re: Nokia IPSO cluster only support Checkpoint Load Sharing?
Just to clarify, do you have both your Check Point synchronisation network, and your primary Nokia synchronisation network using the same interfaces on your cluster, through a hub?

Having a separate network with just your management station on it, and no cluster IP, is not a problem (well, assuming your management server doesn't need to route beyond the firewalls).

If I was in your situation, here's some things I would do:

1/ Have a look at the output of cphaprob syncstat and fw ctl pstat. Look for retransmissions, missing updates, dropped by network, etc. If those numbers are looking high, then that won't be helping.

2/ Related to the above, replace that hub with a pair of switches. Configure two separate VLANs on the switch. Configure a secondary Nokia synchronisation network. Then configure Check Point to use the secondary Nokia sync network as its primary sync network, and the primary Nokia sync as its secondary - make sense? So each one has its own primary sync network, but will fail over to use the others network if required. That should deal with any network-related issues.

3/ Change your cluster config in SmartDashboard to be Load Sharing. Regardless of if things have worked OK, you've got a problem with OWA and VPNS, and this is a definite misconfiguration.

4/ While looking over the cluster, check all interfaces for errors - check the Ierrs and Oerrs columns in the output of netstat -in. If you've got any, resolve them.

4/ All of the above can be done in a day or so. No guarantees that it will resolve your specific issue, but you should get better performance out of it. You then need to start thinking about your future path though - I'm guessing you're running FP3, which is the last one supported by Check Point - i.e. soon it will be out of support. I would look to upgrade to a newer version of IPSO and Check Point. Primarily to get IPSO upgraded to take advantage of the improved clustering code. This will take a bit more effort though, and more testing (and maybe more $ too).

Out of interest, how busy is your firewall? i.e. typical CPU/memory/throughput/concurrent connections?
Reply With Quote