Urgent - Add Nokia Ipso cluster problem

[eldo37]

We have the following problem at work :



We tried to bring in the secondary firewall into the cluster.



The issue that we are seeing is that when the secondary node joins the cluster then outgoing NAT starts to fail randomly.



When I try and telnet on port 80 to an external website from the firewall command line it is successful from one and not the other firewall. I don’t believe this is normal behaviour



Also I am not seeing any “permanent published (proxy only)” when I do an arp –a. I should be seeing them as we are doing auto NAT



When running under following command



stylecpf2[admin]# fw ctl arp

No proxy ARP entries



Which appears incorrect



Below is the fw ver command



stylecpf2[admin]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) HFA_06 for IPSO 3.8, Hotfix 624 - Build 004





We have also tried to reboot to solve this issue but without success.

it's Nokia IP380 box.



If you have any idea?

Thank you

[lammbo]

I have suspicions that you need to use the Proxy ARP section in IPSO and add ARP entries using the CLUSTER MAC (as opposed to the previously unclustered single firewall before). You do say you are using auto-NAT but R55 is so old, I can't remember the caviats to Auto-NAT on an IPSO cluster.

I always used auto-nat just so I wouldn't have to mess with manual rules and then added Proxy ARP entries for all of my public IPs into IPSO so that my upstream routers would always be able to forward traffic to my gateways even if the firewall rejected it (so I could see drops in logs for unused IPs).

There are MANY ways to do ARP... maybe this info will help you.

[eduardw]

Also check the "external gateway" for the firewall it is possible that the arp time out on the routers is to high. When you have access to the gateway recreate the problem and try to manual delete the arp entry. Also make sure that both the node in the cluster use the same magic mac addressing.

Eduard