CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Clustering (Security Gateway HA and ClusterXL)
Standby server in ClusterXL HA config not taking over Standby server in ClusterXL HA config not taking over
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-09-26
Junior Member
  
Join Date: 2007-09-25
Location: Tampa, FL
Posts: 13
Rep Power: 0
jmillercw has an average reputation (10+)
Default Standby server in ClusterXL HA config not taking over
I've got a question about ClusterXL HA & how the standby server actually takes over. Those of you who are more experienced w/ Checkpoint FW's (1st timer here) can likely push me in the right direction.

Platform: NGXR65 on SPLAT.
- Brand-new config...building from ground up.
- 2 identical hosts with 5 NICs per server, 1 on each dedicated to synchronization network via X-over between hosts.

My question/problem:

I run steady pings to the VIP of the internal interface and they respond. I then do a "stop member" on the active member via SmartView Monitor. I can no longer ping the VIP until I "start member" on what was the primary member. (SmartView Monitor & cphaprob state on secondary server both verify that the secondary is now the primary, fyi).

- Gratuitous ARP turned off on switch (Extreme Networks X450-a)
- IGMP Snooping turned off on same switch

I did a packet capture when I do the "stop member" and I see gratuitous ARP's coming from the "new" primary server for the VIP....but it never seems to actually grab the VIP address & start responding.

I'm figuring I'm just missing something obvious here, which is why I'm posting this.

Any ideas? Do I have to do anything w/ static ARP entries on the Gateways? I don't think I do (haven't found anything that says so), but I'm unsure.

I've scoured the ClusterXL Admin Guide & these very CP forums, and haven't run across anything like my particular situation.

Thanks way in advance,

Jay
Reply With Quote
  #2 (permalink)  
Old 2007-09-27
Junior Member
  
Join Date: 2007-09-25
Location: Tampa, FL
Posts: 13
Rep Power: 0
jmillercw has an average reputation (10+)
Default Re: Standby server in ClusterXL HA config not taking over
Well, I think I figured out my own problem.

It appears to have been a flaw in my ruleset.

I was only allowing SSH & ICMP from the smartcenter server to the internal interfaces of the FW's. (these are the ones i've been testing fail over with).
I had a rule below that denying all other traffic to these interfaces.

Once I created a rule for the 2 interfaces in question to allow ANY between them, fail over now works just fine. I didn't think I had to specify that in my rules.

I'm assuming I'm going to have to do this for all the interfaces on the Clustered FW's.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 16:22.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0