Big problem with Clustering!!!

[doccocaubai]

I have a diagram:


I have a big problem with that diagram. At the same time, I just can ping 1 or 2 IP address on nokia. Ex:
I can ping 192.168.2.252, 192.168.2.253 but can not ping 192.168.2.254.
But a moment later, I can ping 192.168.2.254 but can not ping 192.168.2.252 or 192.168.2.253.
And that problem also appear with other interfaces.
I check that cluster working functionally. But that problem still appear. What can I do?
Please, help me!!

[eduardw]

Hi,

When your not able to ping one of the nodes, did you see the echo request arriving on the interface of the node (fw mon , or tcp dump). Also check the tracker. When you do not see the incoming echo request you could have an arp problem some where in your network.

I presume that some where in the network is a router which routes the traffic from the smart center to the nodes. If so check the arp time out on this router.
When the problems occurs the try deleting the arp cache on this router, and then check again.


Eduard

[pat13b]

I ran into this same problem and it ended up being a multicast problem.

I was doing IPSO clustering and getting different results using diffrent cisco switches. I know it is probably not recommended to go to forwarding mode, but that's how I ended up fixing the problem, and it's been fine ever since.

-pat13b

[doccocaubai]

My cluster is running in forwarding mode. I checked the tracker but nothing concert with arp. And in smartcenter I configured the policy permit any any. But that problem still happen.

[pat13b]

Hmmm, Not sure.

- How about topology in check point. Does this look correct?
- Global policy have accept ICMP ?
- looking at voyager "cadmin" does this show anything?

-pat13b

[Routerkid1]

put the cluster in broadcast mode with cphaconf set_ccp broadcast command The default is multicast and the cluster mode can be restored to the default by typing cphaconf set_ccp multicast

[taichan]

It's normal (default) that you can't ping both member IPs.

Take a look at the sk33285, there is an option fw_allow_simultaneous_ping

And how you can change kernel parameter on all platforms: sk26202


best regards

Tim

[abusharif]

Quote:

Originally Posted by taichan

It's normal (default) that you can't ping both member IPs.

Take a look at the sk33285, there is an option fw_allow_simultaneous_ping

And how you can change kernel parameter on all platforms: sk26202


best regards

Tim

As an addition to above explained, be "careful" if you enable this since _every_ icmp request will be logged. So if you send 10 pings to the firewall, all 10 will be logged as individual entry in the log which can make logs grow fast ;-)

[taichan]

Quote:

Originally Posted by abusharif

As an addition to above explained, be "careful" if you enable this since _every_ icmp request will be logged. So if you send 10 pings to the firewall, all 10 will be logged as individual entry in the log which can make logs grow fast ;-)

Hehe and for that, to handle all your log stuff, you can buy Check Points log correlation software (Eventia) ;-)