Problem with pinging Cluster

[dimarc]

Hello,

I don't know if I can post here but I'm trying.
I have a problem. Perhaps someone can help me.

In a lab test, I've configured 2 SPLAT (NG AI R55 HFA17).

Splat 1 : 10.1.5.101
Splat 2 : 10.1.5.102

Virtual IP : 10.1.5.100

I would like to ping all the firewalls ( Splat 1, Splat 2 AND Ip of the Cluster).
I've allowed ICMP Request in global properties.

Cluster XL : High Availibility New mode

I can ping only 2 of the 3 IP and it is never the same that doesn't respond.
Sometimes Virtual IP and Splat 1 respond and no response from Splat2.
Sometines Splat 1 and Splat 2 respond and no response from Virutal IP
...

Even if one ip doesn't respond, I can access in SSH, or anything else to that IP !!!
In SmartView Tracker, nothing is blocked.

One Idea for that problem?

Thanks a lot.
Dimarc

[Lackie]

Check out sk26874 on the Check Point knowledgebase. There is a command that you can run to allow this. It won't survive a reboot so you have to add the line to a file as well.

[dimarc]

Thanks Lackie,

I've found this article on Secure Knowledge but I can't read it. I'm certified CCSE since 1 month and I'm waiting for my certificate and my account for the checkpoint website. Can you paste me the article?

Thank you very much.

Regards,
Marc

[dimarc]

Ok, I've received my account.

It works fine now !!!!

Thank you Lackie.

[chamanrana]

HI Lackie,
I am also facing the same problem but not able to read the article. Can you please post the solution here. I will be grateful to you.
Thanks in Advance,
Chaman

[dimarc]

Hello Chaman,

This is the answer. It works.

Enjoy :-)



Symptoms

Unable to simultaneously Ping the cluster IP address and cluster-member physical IP address, from a remote host
arp -a displays MAC addresses of cluster and cluster-member IP addresses.


Solution

his problem was fixed in the following HFAs (HotFix Accumulators):

VPN-1/FireWall-1 NG FP3 HFA_315
VPN-1/FireWall-1 NG with Application Intelligence R54 HFA_401
VPN-1/FireWall-1 NG with Application Intelligence R55 HFA_01

After downloading the fix, modify the Kernel Global Property, "fw_allow_simultaneous_ping".

Check Point recommends to always upgrade to a recent version, and to the most recent HFA of this version.

To get the latest HFA for your product, version and Operating System, go to http://www.checkpoint.com/techsupport/hfa.html.


--------------------------------------------------------------------------------

After the HFA is applied, the Kernel Global Property may be configured, so that a reboot is not required, This can be accomplished by running the command:

fw ctl set int fw_allow_simultaneous_ping 1

The integer value entered must be in decimal when using this command.

This may also serve as a test method before committing sustained changes.


--------------------------------------------------------------------------------

The below changes will set the kernel parameter permanently, such that it will survive reboots:


Windows:

1. On the Security Gateway, edit the registry.

2. Add a DWORD value "fw_allow_simultaneous_ping" under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\FW1\Parameters\Globals

3. Modify the value "fw_allow_simultaneous_ping", and enter "1" under "value data".

4. Select "hexadecimal" for "Base".

5. Exit the registry.

6. Reboot.

Solaris:
1. On the Security Gateway, edit the file /etc/system.

2. Add the line:

set fw:fw_allow_simultaneous_ping=1

3. Reboot.


SecurePlatform/Linux:
1. On the Security Gateway edit the file $FWDIR/boot/modules/fwkern.conf (Note: Create fwkern.conf if it does not exist.)

2. Add the line:

fw_allow_simultaneous_ping=1

3. Reboot.

Nokia IPSO:
1. Download and install the Modzap Utility from support.nokia.com.

2. On the Security Gateway, type at prompt:

modzap fw_allow_simultaneous_ping $FWDIR/boot/modules/fwmod.o 0x1

3. Stop/start the firewall services by typing at prompt: cpstop;cpstart

Applies To:

VPN-1/Firewall-1 NG FP3, NG with AI R54, NG with AI R55
ICMP


Succes

[philuxe]

well know problem,but what is very strange is that this bug is fixed since a few patch (HFA13 if i m right) but you must activate the fix :-)