strange nat-problem with cluster

[veste]

hi group,

i'm using clusterxl in ha-mode (splat, ngx,r60,hfa02), and trying to be a good admin i use ntp (on an a server in the dmz) to sync the time on both.

but i've run into a problem: since the last reboot of both cluster-machines time-syncing does not work anymore on the standby-machine :-(

i took a look into the logs and see a strange thing:
the mashine's ip is hidden behind the virtual cluster-ip.

why does this happen?

any ideas?

thx,
stefan

[dbedit]

What Platform?

[veste]

Quote:

Originally Posted by dbedit

What Platform?

secure platform, ngx, r60, hfa02 on both mashines

[melipla]

I just checked my ngx cluster (hfa03) and my standby member's ntp requests are not being natted. You should check the logviewer to see which NAT rule it's matching. Maybe it's a bad rule?

[veste]

Quote:

Originally Posted by melipla

I just checked my ngx cluster (hfa03) and my standby member's ntp requests are not being natted. You should check the logviewer to see which NAT rule it's matching. Maybe it's a bad rule?

its rule 0:

Service: ntp-udp (123)
Source: fw-3 (xxx.5.101)
Destination: pro (xxx.5.42)
Protocol: udp
Rule: 0 - Implied Rules
NAT rule number: 0
NAT additional rule number: 0
Source Port: ntp-udp (123)
XlateSrc: hafw (xxx.5.1)

btw: if i stop the cp-daemons, everything works.
weird thing :-(
question: how can i see the implied rules in the dashboard? i can't find how.

thx!!!

[abusharif]

Quote:

Originally Posted by veste

its rule 0:

Service: ntp-udp (123)
Source: fw-3 (xxx.5.101)
Destination: pro (xxx.5.42)
Protocol: udp
Rule: 0 - Implied Rules
NAT rule number: 0
NAT additional rule number: 0
Source Port: ntp-udp (123)
XlateSrc: hafw (xxx.5.1)

btw: if i stop the cp-daemons, everything works.
weird thing :-(
question: how can i see the implied rules in the dashboard? i can't find how.

thx!!!

View->Implied Rules

[dbedit]

Check your 3rd party configuration in your gateway cluster properties and uncheck 'hide cluster members' outgoing traffic behind the cluster's IP address'

[veste]

Quote:

Originally Posted by abusharif

View->Implied Rules

thanks! think i need new glasses ;-)

i've looked into the rulebase:
*) there are no implied nat-rules
*) there are no nat-rules at all, where something is hidden behind the cluster-ips
*) i allow outgoing from local-mashine as "before last"

[veste]

Quote:

Originally Posted by dbedit

Check your 3rd party configuration in your gateway cluster properties and uncheck 'hide cluster members' outgoing traffic behind the cluster's IP address'

well, i don't see an "3rd party configurtion"-section in the properties of my gw-cluster. maybe because i use the checkpoint ha-feature?!?

[abusharif]

Quote:

Originally Posted by veste

well, i don't see an "3rd party configurtion"-section in the properties of my gw-cluster. maybe because i use the checkpoint ha-feature?!?

if you are using ClusterXL (have it checked as a product installed) then 3rdparty menu is replaced by ClusterXL. If you uncheck it (meaning u are not actually running the product) then 3rd party thingy will show up.

[rossbird]

Seems like you need to add a nat rule to me.

rule #1
original packet:
src = fw
dst = ntp server
svc = ntp

tranlsated packet:
src = original
dst = original
svc = original

rule #2
original packet:
src = ntp server
dst = fw
svc = ntp

tranlsated packet:
src = original
dst = original
svc = original

[veste]

Quote:

Originally Posted by abusharif

if you are using ClusterXL (have it checked as a product installed) then 3rdparty menu is replaced by ClusterXL. If you uncheck it (meaning u are not actually running the product) then 3rd party thingy will show up.

jabadabadoooooooooo!!

that's it! disabled clusterXL, unchecked the hide-thing in 3rd party,
checked clusterXL, installed and now ist _W O R K S_ !!!

so i don't need the NAT-workaround.

thx to all for your help!

cheers,s.

[abusharif]

Quote:

Originally Posted by veste

jabadabadoooooooooo!!

that's it! disabled clusterXL, unchecked the hide-thing in 3rd party,
checked clusterXL, installed and now ist _W O R K S_ !!!

so i don't need the NAT-workaround.

thx to all for your help!

cheers,s.

Nice to hear! :)

[melipla]

So now I'm confused--why would it use 3rd party cluster settings if ClusterXL was selected?