CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Clustering (Security Gateway HA and ClusterXL)
Configure HA whis alias interface Configure HA whis alias interface
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-11-30
Junior Member
  
Join Date: 2006-11-30
Posts: 2
Rep Power: 0
misha-kr has an average reputation (10+)
Default Configure HA whis alias interface
Hi,

We tries to configure ClusterXL HA New Mode and has some issues with virtual interfaces. Cluster has real interfaces and some real interfaces have additional (alias) interfaces.
For example:
eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:07:e9:1a:6e:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.60.4/28 brd 192.168.60.15 scope global eth1
inet X.X.15.225/28 brd X.X.15.239 scope global eth1:2
eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:07:e9:1a:6d:d7 brd ff:ff:ff:ff:ff:ff
inet Y.Y.68.35/28 brd Y.Y.68.47 scope global eth2
inet 192.168.60.203/29 brd 192.168.60.207 scope global eth2:1


We configure cluster object and add all real and alias interfaces to topology. Install test policy (Any Any Accept). After that we try to test connections on different IP addresses of ClusterXL. For pinging we use test PC from same physical network.

Example
Cluster IP:
eth2
Real IP: Y.Y.68.35/28
Virtual IP: Y.Y.68.33/28
eth2:1
Real alias IP: 192.168.60.203/29
Virtual alias IP: 192.168.60.201/29

Test PC:

Y.Y.68.34/28
192.168.60.202/29

If we try to PING address of virtual IP cluster (Y.Y.68.33)– PING is ok. If we try to PING address of virtual alias IP cluster (192.168.60.201) – PING is fault. We thing that it happened because Cluster doesn’t return MAC address of virtual alias IP: 192.168.60.201/29.

Example TCPDump from cluster:
[root@fw root]# tcpdump -i eth2
tcpdump: listening on eth2
15:08:01.542711 arp who-has 192.168.60.201 (Broadcast) tell 192.168.60.202
15:08:02.542592 arp who-has 192.168.60.201 (Broadcast) tell 192.168.60.202
15:08:03.542721 arp who-has 192.168.60.201 (Broadcast) tell 192.168.60.202
15:08:04.542726 arp who-has 192.168.60.201 (Broadcast) tell 192.168.60.202
15:08:05.542855 arp who-has 192.168.60.201 (Broadcast) tell 192.168.60.202

Whether can ClusterXL work with alias interfaces?


P.S.
OS Linux RedHat 7.3
Last edited by misha-kr; 2006-11-30 at 08:32.
Reply With Quote
  #2 (permalink)  
Old 2006-11-30
Senior Member
  
Join Date: 2006-06-14
Location: The Netherlands
Posts: 153
Rep Power: 3
dbedit has an average reputation (10+)
Default Re: Configure HA whis alias interface
There is a platform limitation on this feature. It is supported on Red Hat 7.3, SecurePlatform FP3 and Solaris 8 (32 bit/64 bit) with GigaSwift ethernet adapter. It works on Red Hat 7.2 and VLAN patch as well, but since it requires private Linux kernel compilation, it is not supported by Check Point.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 04:04.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0