VRRP Issue

[mnrkarthik]

Hi,

Iam in the process of implementing VRRP on my Nokia IP 330 boxes. I installed IPSO 3.8 on the IP330's. Then i implemented VRRP on these. It works fine. I installed checkpoint AI (R55).On my management server I create a cluster group and include both the firewalls as members.The VRRP stops working. On the voyager under VRRP both the firewalls are in backup state with 0.0.0.0 location. There is no VRRP traffic between these(I checked using tcpdump) though there a rule on my management server to allow these traffic.

Can you let me know where Iam making mistakes ?

Regards,
RK

[donshoutarp]

Checkout this link: http://www.gosecure.ca/english/files...p_ha_v1.29.pdf

It is pretty detailed for VRRP configs.

If it does not help, please post what your VRRP rule looks like and any info from Tracker.

[Lackie]

Both firewalls in backup state is only obtained from one thing. If you have Monitor Firewall state enabled in the VRRP configuration and something isn't set up correctly.

Monitor firewall state will monitor a few things on the firewall to ensure they are working properly and if not, will force itself into backup state. It will ensure that there is a valid VRRP policy on the appliance, that you have HA enabled, that the fwd process is running. If one of those is not correct then it goes into backup.

You can disable Monitor firewall state to test, once you disable this you should have master/backup.

[mnrkarthik]

Hi Lackie,

Thanks for your reply....As per you suggestion, I disabled the firewall monitor state, it works fine now.....i understand that checkpoint and nokia recommends that we should leave the firewall monitored state as enabled...

i double checked the configurations to check the vrrp policy,HA and fwd process as per your mail.. i was not able to find any discrepancies..

i restarted my nokia boxes couple of times to check whether there are any vrrp issues ... it seems working fine... can i keep the firewall monitored state as disabled ???

Regards,
RK

[Lackie]

you can keep it as disabled, but the appliance will only fail over if there is a loss of link on an interface.

type the following command to see the status of the HA module 'cphaprob state'. If you run this on both appliances and it says anthing other than both showing as Active then that is the problem that you are having.

If HA is not enabled, you can do this in cpconfig.

[mnrkarthik]

Hi Lackie,

thanks very much for your reply.. Really appreciate it...

Sorry for the delay...I was stuck up in some other thing....

It works fine for me now...

Once again thanx for your efforts in helping me out...

Cheers,
RK

[garymok7]

I have currently configure both IP380 IPSO 3.71 to run VRRP with Checkpoint R55 loaded.

I have followed the configuration doc (Nokia VRRPmc / CheckPoint NG) but I have encounted some problems.

1 ) When both IP380 is operate in VRRP mode, is that I can see the share VRRP IP address no matter which one is in active state? That is I can see in ifconfig -a (It is because, I can just see it in the active IP380, so each time I can only see the address at one IP380)

2 ) After the fail over to a backup IP380, I found that the internal host cannot access public network, I have issue a tcpdump at the external interface and internal interface and find that the ping packet can reach the public network and get reply from it, but after the Nokia receive back the packets, it cannot pass back to internal host and it drops due to mal-formed icmp packet. Not only for PING traffic, but also for normal internet access, it also fail.

Since both IP380 using the same set of policy, I don't know why onc of the IP380 can do and the other one fail.

Cheers,
Gary

[iafilius]

Hello,

i'm quite interested in the "Monitor firewall state" part.
Where do you acutally configure it?

Thx in advance.

[tdvit]

Quote:

Originally Posted by Lackie

Both firewalls in backup state is only obtained from one thing. If you have Monitor Firewall state enabled in the VRRP configuration and something isn't set up correctly.

Monitor firewall state will monitor a few things on the firewall to ensure they are working properly and if not, will force itself into backup state. It will ensure that there is a valid VRRP policy on the appliance, that you have HA enabled, that the fwd process is running. If one of those is not correct then it goes into backup.

You can disable Monitor firewall state to test, once you disable this you should have master/backup.

Sorry for bringing and old thread back to life but I feel the issue I had with a VRRP config merits it. I setup VRRP on 2 new IP 260's and had it working perfectly.

brought them to a customer site and plugged them in and the VRRP status on both firewalls was backup backup and wouldnt work.

I had to disable monitor firewall state to get it working. running cphaprob state told me everything was fine, and cphaprob -a if also reported nothing unusual. I dont understand whey this happened just doesnt make sense.

Mick