cpstop, cpstart and ClusterXL explanation needed

[cciesec2006]

I need help on this issue:

I have SPLAT enforcement module with
two interfaces, Internal and External.
This SPLAT box is being managed by a
Provider-1 SPLAT (manager+container).
Everything is running NGx R61 with
HFA_01. Everything is running
on EVAL license.

Internal interface has an IP of
10.100.109.2/24 with the ClusterXL IP
to be 10.100.109.1. The External IP
address is 129.174.1.23/24 with the
ClusterXL IP is 129.174.1.22.
Anti-spoofing is defined properly.
Under the global properties, I have
automatic ARP, nat on the destination,
etc...By the way, even though I only
have a single firewall, I setup the firewall
with ClusterXL in Active/Active in Unicast
with the intention that I will add
another firewall into clusterXL next week.

I have a very simple rule:
Any Any Accept log

I have a linux host behind the Internal
interface with IP 10.100.109.12 and
it is NATted to 129.174.1.12. Host
10.100.109.12 has its default gateway
as 10.100.109.1

Once I push the policy, hosts residing
on the External CAN ping the host 129.174.1.12.
So far so good.

However, if I do "cpstop;cpstart" on the
SPLAT enforcement module, hosts residing on
the External network CAN NOT ping host
129.174.1.12. Several attempts to push
the policy did not sovle it. When
I do "fw ctl arp" on the SPLAT box, I see
this:

[EM-SPLAT-1-P]# fw ctl arp
(129.174.1.12) at 00-a0-c9-e1-05-b8 interface 129.174.1.23
(129.174.1.11) at 00-a0-c9-e1-05-b8 interface 129.174.1.23
[EM-SPLAT-1-P]#

It means that my static NAT is correct but
hosts on the External network CAN NOT ping
the host 129.174.1.12. The only way to fix
this is to REBOOT the SPLAT box.

Is this normal behavior for SPLAT enforcement module?
I've never this with Nokia IP appliances.

Can someone clarify this?

[foencenuT]

Hi all!
i'm new here let me in
G'night

[melipla]

Quote:

Originally Posted by cciesec2006

It means that my static NAT is correct but
hosts on the External network CAN NOT ping
the host 129.174.1.12. The only way to fix
this is to REBOOT the SPLAT box.

Is this normal behavior for SPLAT enforcement module?
I've never this with Nokia IP appliances.

Can someone clarify this?

Sounds like funky proxy arp behavior where you lose your arp once you perform a cpstop/cpstart. While I am wondering why you're performing a cpstop/cpstart I'll suggest a possible workaround: Add a static route on your firewall like so:

route add -host 127.174.1.12 netmask 255.255.255.255 gw 10.100.109.12
(if you have a gateway on 10.100.109.0/24 that your firewall routes to, use that instead of .12)

I think this may help keep the routing up after a cpstop/cpstart.

[cciesec2006]

First of all, I have another identical setup with NG-AI R55 and HFA_20.
cpstop;cpstart on the SPLAT box did NOT break anything. Ping still
works after that. Apparently something is wrong is NGx.

I performed "cpstop;cpstart" because I want to test the box as
proof of concept. I want to make sure that everything still works
after that. Well, it worked in NG with AI but failed in NGx.

Why?