CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Clustering (Security Gateway HA and ClusterXL)
Please HELP Please HELP
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-09-12
Member
  
Join Date: 2006-10-07
Posts: 33
Rep Power: 0
brierw has an average reputation (10+)
Default Please HELP
Hello,

We have an IPSO cluster running version 4.2-Build042 HF002 using Checkpoint R60 with HFA04 and are having a very odd issue. We have three ip's, one for each cluster member as would be expected, and one ip for the cluster. Now to the problem...

I cannot ping all three ip's at once. This means if the internal ip's were as follows there would always be one of the three that I was unable to ping.

Cluster member one internal ip 192.168.110.46
Cluster member two internal ip 192.168.110.47
Cluster ip 192.168.110.48

The kicker is the "one" I cannot ping switches randomly between the three ip's without notice??? Does anyone have any ideas or has anyone experienced this before? Tracker does not show there being any issues on the firewall cluster and we are not seeing anyting that isn't working??

We first noticed the problem via our monitoring system, which has a ping to each of the nodes internal ip's as well as the cluster ip, and noticed that it would just randomly start failing??? When we would try from our desks we would also see the same random problem.

Does anyone have anything for me on this? Not really sure where else to look to find this issues root cause.

Thanks in advance for your replies...
Reply With Quote
  #2 (permalink)  
Old 2007-09-13
Senior Member
  
Join Date: 2006-12-16
Posts: 161
Rep Power: 2
Routerkid1 has an average reputation (10+)
Default Re: Please HELP
I would make sure you allow ping to all members in the rulebase. If it turns out you can not ping the pivot this is normal.
Reply With Quote
  #3 (permalink)  
Old 2007-09-13
Senior Member
  
Join Date: 2006-09-26
Posts: 804
Rep Power: 3
cciesec2006 has an average reputation (10+)
Default Re: Please HELP
Hi,

This is a known issue since Checkpoint NG Feature Pack 3.
You must ping these IP addresses from a windows right?
If that's true, that is a known issue with Checkpoint on
both SPLAT, Nokia, Windows and Solaris Platform.

Since you have Nokia platform, do the following:

1. Download and install the Modzap Utility from support.nokia.com.

2. On the Security Gateway, type at prompt:

modzap fw_allow_simultaneous_ping $FWDIR/boot/modules/fwmod.o 0x1

3. Reboot the module.

If you do not want to reboot the box, you can do the following:

fw ctl set int fw_allow_simultaneous_ping 1

That will allow you to ping both the physical ip address and the cluster
IP at the same time.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 16:21.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0