IP Clustering

[sameoj]

I have configured IP Clustering on a Nokia ipso 560, I have 4 ethernet interfaces and I configured them as follows: s4p1 for inside,s4p2 for outside, s4p3 and s4p4 for synchronization. I also used s4p2 for my secondary cluster interface and and s4p3 for my primary cluster interface.

I used cpconfig command to enable and configured the services I needed before I configured the cluster interfaces.

I tried to change the cluster state to up and I get this error message: "firewall check failed".

What went wrong, can someone please help me.

Please reply to sameoj@gmail.com.

Thanks in advance,cheers.

[mikebudohiee]

First of all I am a little confused with this configuration. I am assuming that s4p1 inside, s4p2 outside are critical interfaces. Now s4p3 and s4p4…what are these interfaces going to be used for? Is there another inside like DMZ zone, are both of these interfaces going to be used for real data? The reason why I am asking this, is that you should make your critical interfaces part of the cluster and you sync and or dedicated management interface not part of the cluster. Don’t get me wrong, I said “should”, I didn’t you had two. Your sync interface and management interface do not need to be part of the cluster. Think of cluster as critical interfaces that must act as one. This is where you assign you VRRP IP so that to the rest of the network behind it, it just looks like one device on the wire. Since no other device will ever talk or send traffic via your sync interface do not make this part of you cluster. Checkpoint allows you to make sync a cluster interface for one it does save you on interfaces. However I have Nokia FW that have 12 interfaces and I have to dedicate a gig interface just to sync to keep up with the traffic.

Now let’s say your interfaces, s4p1, s4p2, s4p3 are used for real traffic (inside, outside, dmz) and s4p4 is used for sync. In the topology table define the first three as cluste, and the last interface as sync (only). On the cluster object when you chose you define the name and IP, use the VRRP IP defined for your outside interface. This is important if you are going to terminate VPN’s in the future. When you build each cluster member obj use the physical outside interface for the object (not the VRRP). Now on the cluster obj go to “3rd party Configuration” and choose “High availability” & “Nokia VRRP”. Under general properties of the cluster obj do NOT have “ClusterXL” checked. On Nokia voyager configure your “high availability” -> “VRRP” and use simplified. Define VRID number and for each Interface that is cluster define a VRRP IP and select “extended mode”. Extended mode VRRP is nice because it hashes a unique VRRP MAC based on your VRID+VRRPIP+HASH. This way you cannot accidently use the same MAC as another device running VRRP.

Make sure your cluster Obj shows the right “Version and OS”. Go back to the topology table and “get interfaces with topology”. Now the Cluster column will be empty so you will have to manually define them. When you define it use the VRRP IPs that you configured for each interface on Voyager.
Also, you mentioned the cpconfig…Make sure that you did enable Cluster.

Now this is basic idea of what you need to get Nokia VRRP clustering working with checkpoint. Once you get this compiled with no errors you still will have to define a cluster rule above your stealth rule so that the Checkpoint FW doesn’t drop the VRRP communication between the interfaces or you will not get this working. The interfaces will be in a Master – Master relationship. Here is and example of the rules you will need…

I created a group “Vrrp-Address-Grp” that has a host obj for each of the VRRP IP’s that I defined in Voyager for the cluster interfaces.

Source Destination service Action
FW1-obj 224.0.0.18 vrrp,igmp allow
FW2-obj
Vrrp-Address-Grp

Source Destination Service Action
Any 224.0.0.18 vrrp,igmp drop