VRRP fail over issue

[Raedm]

Hi,

I am running a VRRP test, sending an continues ICMP packet (PING command) between an internal and external clients to the ISP. The process would fail over to the secondary FW when the primary goes down. However, opening an FTP sessions between both clients is not failing over when the master goes down.

Notes:
1- I am testing IPSO 4.0 build 40 with NGX R60 HFA_03.
2- the secondary becomes the master after the master gets disconnected.
3- Running an FTP sessions with out the fail over would work fine.
4- Starting another FTP sessions after the master become unviable and the secondary becomes a master would work fine.
5- Smart view tracker showing the following error message when the fail over occurs and the FTP sessions get disconnected " "TCP packet is out of state, first packet isn't SYN tcp_flags:FIN_ACK"


Any suggestions.

[dbedit]

Any routers running VRRP or just only Nokia's?? Could be a asymmetric routing issue. Is 'synchronize connections on clusters' enabled for FTP service, check properties on service FTP, it should be enabled by default.

[Raedm]

Where can I find these options, I looked under voyager and I couldn't find them.

Is 'synchronize connections on clusters' enabled for FTP service, check properties on service FTP, it should be enabled by default.

[northlandboy]

Synchronisation is not a Nokia thing, it's a Check Point thing. Check in Smart Dashboard, not Voyager.

On each node, is synchronisation configured and working correctly? If you run cphaprob state on each module, what output do you get? Does fw tab -t connections -s return similar values for both nodes?

[Raedm]

I applied HFA_04 to the smart center and FWs, which corrected the issue.

Thank you for the help.

[Viggo]

This is definitely interesting. Did anybody else had this kind of issue with NGX R60 before HFA_04 ?

*scratches head*

[northlandboy]

My guess is that the HFA was irrelevant. It looks to me like synchronisation had never been working properly, and one of the nodes needed to be restarted, which happened during the upgrade.

Since no troubleshooting steps were done (or at least, no results were posted here), and the HFA was just applied, you can't say for certain.

I wouldn't worry about it if I was you Viggo.

[Viggo]

Thanks. :)
I´m getting my fair share of trouble with a redundant solution with not one, but two switches (after all, they do want a redundant NETWORK as well, as many people seem to forget) and a pair of Nokias running VRRP (IP Clustering is not an option for now), and I´m using HFA_03. I do want to move to 04 and that seemed like a good reason.

But I agree with you; no way in hell that CP would allow a tough issue with VRRP going flaky for THREE hotfix releases.... right? ;-)