VRRP Problem

[jbailey01]

Hello,

We have two Nokia IP330s running IPSO 3.8 and Check Point NG R55. The two firewalls are configured for HA and had been running fine for over a year. This past week we pushed a new policy and after the policy was pushed both firewalls reported their status as Master for all 7 interfaces we have clustered. I rebooted one of the firewalls and as it was booting the following was logged:

Information: cluster_info: (3rd Party Cluster) State change of member
2 (x.x.x.x) from active to down was canceled, since all other members
are down. Member remains active.

After this message was logged both firewalls again reported as Master for all clustered interfaces.

I have checked the topology and everything looks good, the only thing I noticed was that I can not ping the other side of the sync network I have setup. I am not sure if this is normal, but its just something I noticed while troubleshooting.

I have not been able to do much troubleshooting due to the connectivity problems that are caused when both firewalls are up.

Any ideas?

[rpaige]

It would appear that the policy installed is blocking the receiving of VRRP advertisments. You did not indicate how you resolved the problem, I assume you shutdown or removed one of the pair from the network. I would check the firewall logs from when this happened for dropped VRRP (IP Dest 224.0.0.18) packets. Also check the monitoring page in Voyager for VRRP stats and check for errors.