fw ctl zdebug - output

[Danielpb]

Hi People,

wonder is anyone has seen this before...

In short I'm having issues pinging/ssh to the cluster VIP (Simplfied VRRP).
All VPNs seems to be fine....

The output of fw ctl zdebug show the following drops:

fw_log_drop: Packet proto=1 193.##.##.##:2048 -> 85.##.##.##:18473 dropped by fwha_forw_run Reason: Failed to send to another cluster member

cheers

Dan

[Routerkid1]

Cluster-member Ping

VPN-1/Firewall-1 does not allow pinging a cluster virtual IP and a real IP addresses of one of the Cluster Members simultaneously. Several tools perform such simultaneous Pings.
There is a solution for this (available since HFA_315), which can be enabled by setting the kernel global parameter fw_allow_simultaneous_ping to "1".

Related solutions:
sk27105 - Verifications performed by VPN-1/FireWall-1 NG with 'Any Any Any Accept' rule.
sk26202 - Changing the kernel global parameters on all platforms.

And make sure you have a rule above the Stealth rule to allow SSH and icmp and http to the firewall from your machine only or a group of admin machines.

[cciesec2006]

Quote:

Originally Posted by Routerkid1

Cluster-member Ping

VPN-1/Firewall-1 does not allow pinging a cluster virtual IP and a real IP addresses of one of the Cluster Members simultaneously. Several tools perform such simultaneous Pings.
There is a solution for this (available since HFA_315), which can be enabled by setting the kernel global parameter fw_allow_simultaneous_ping to "1".

This only applies to Windows systems. If you ping from Linux/Unix systems,
Firewall-1 will let you ping both the cluster and member gateways at the same
time.

[Danielpb]

I did miss some vital information off this to be fair....

There are 2 external interfaces being used which are allocated Vlans.

It seems the issue might be the fact simplified mode is setup to supply the same Vmac to each interface and causing the switch to throw a benny.

I was going to try and set static Vmacs to see if this resolves it.

Cheers

Dan

[rogermilla]

Quote:

Originally Posted by Danielpb

Hi People,

wonder is anyone has seen this before...

In short I'm having issues pinging/ssh to the cluster VIP (Simplfied VRRP).
All VPNs seems to be fine....

The output of fw ctl zdebug show the following drops:

fw_log_drop: Packet proto=1 193.##.##.##:2048 -> 85.##.##.##:18473 dropped by fwha_forw_run Reason: Failed to send to another cluster member

cheers

Dan

I encountered the same problem as well when I issue fw ctl zdebug as well.

fw_log_drop: Packet proto=1 x.x.x.x:2048 -> x.x.x.x:27357 dropped by fwha_forw_run Reason: Failed to send to another cluster member