Monitoring Nokia IP Cluster

[tdvit]

Good Afternoon,

I hope somebody can shed some light on this.

I have a site with 2 Nokia IP 350's in a nokia IP cluster. I need to monitor these with orion and rather than monitoring the cluster IP i want to monitor each individual node. I monitor the internal interfaces of these nodes over the vpn and the problem Im having is it will only monitor one firewall at a time.

Basically it will be succesfully polling Firewall a and then firewall b will take over thus orion starts monitoring it and reporting fwall a as been down. I called a third party company and they have said it cant be done. Is that so? I thought that nokia ip cluster is configured for load sharing so it should be active active.

The message the tracker tells me when a node is down and getting polled from orion is " recieved a clear text packet winthin an encrypted connection "

Can anyone offer any advice here its really frustrating and there is nothing in the knowledge base about it

Mick

[tdvit]

bump - anyone ?

[kva.kva]

Sorry, i don't clearly understand what is "orion" monitoring. I think it's programm, right?
And may be my advice will not usefull. But why don't you use SmartView Status for these goals or may be SNMP?

[tdvit]

Hey thanks for the reply.

yeah Orion is a solarwins product that we use to proactively monitor all things networking related. It uses snmp, Our wan is quite large so this is our centralised mgmt area so its got to work from here. The question is though can this sort of monitoring be achieved to a Nokia IP cluster is High availability over a vpn.

hope you can help

[kva.kva]

When Orion alarm you that your module is down, in SmartView Status - module down also? Status your cluster is it correct for this time (active, active)?
Clusters status you can see by command "cphaprob stat" on modules. I don't work with Nokia cluster, but on SPLAT (for example) clusters you can see status by this command. I think on Nokia also.

Try to check all available snmp OIDs smth like SNMP browser. May be Orion use not "right" OID.

[Lackie]

I would like to concentrate on the error message that you are getting. Received a cleartext packet within an encrypted connection.

When you doulble-click on this error, what interface is it being shown on? Internal or external? What direction is is going in, is the arrow pointing to the left or the right?

The VPN that you have, is it in traditional mode or Simplified?

Are you running IP clustering in forwarding or multicast mode?

[tdvit]

Thanks for the reply.

VPN is traditional mode
the ip cluster is in forwarding mode and its load sharing not HA
and the arrow points to the left on eth2c0 which is the internal interface
and when it reports on the working node it gets accepted on the external interface of the fwall with the arrow pointing to the left so it looks like this could be where the problem is?

and when orion reports it as down it is absolutely and definately up and running.

thanks for the help

Mick

[tdvit]

the following message is now also appearing in the logs which I hadnt noticed before

Number: 360275
Date: 15Feb2006
Time: 15:52:02
Product: VPN-1 & FireWall-1
Interface: eth2c0 (which is the internal interface and the arrow is pointing to the right
Origin: EURCLNKFW03 (62.17.x.x)
Type: Log
Action: Drop
Protocol: udp
Service: snmp-read (161)
Source: w_10.20.1.9 (10.20.1.9)
Destination: EURCLNKFW02 (10.5.161.75)
Rule: 4
Source Port: 1091
Information: dst scheme: NA
route status: Different community ID, possible NAT problem (VPN Error code 01)

[Lackie]

What appears to be happening is that your traffic is coming in firewall a into the internal network and then over to the internal interface of firewall b. Firewall b gets the packet but knows that from that source it should be encrypted, not in cleartext as it is receiving it, hence the error message that you are getting. Everything is happening in reverse when firewall b handles the initial packet.

Not sure if you are using a static or dynamic work assignment for your cluster. Changing it to static may help, but I'm not in a position to test this. Also check the 3rd party configuration on the cluster object, is Sticky connections enabled?

[tdvit]

OK I'm with you. We are using dynamic work assignment and sticky connections is enabled as recommened for nokia IP clustering. I will see about chaning the work assignment but would prefer to do it out of hours as I can only do it on the live network. Thanks for your ongoing help on this.

Mick

[tdvit]

I changed the cluster to static but still it makes no difference :-/

[tgumpper]

Has anyone discovered the solution for this issue? I am having the exact same problem.

[tdvit]

yip I just setup my orion to monitor the external addresses of my cluster and its working perfectly.

[tgumpper]

Good Morning,

My situation is slightly different.

I have a site with 2 Nokia IP 560's in a nokia IP cluster in "forwarding mode". I need to monitor devices behind this cluster with Solarwind's Orion and Tivoli.

Network:

LAN|-----|eth1 FW A eth2|--------|DMZ

LAN|-----|eth1 FW B eth2|--------|DMZ

Orion & Tivoli are in the LAN


Basically it will be succesfully polling the DMZ devices and then I begin to notice SNMP packets enter Firewall A's eth1 interface and the return traffic exit firewall B's eth2 interface. Orion/Tivoli starts monitoring reporting devices a as been down.
The firewall logs look like this:

Origin>Source>Destination>Services>Source Port>Status
FW A>tivoli server>switch device>snmp-read>ACCEPT
FW B>switch device>tivoli server>4690UDP>snmp-read>DROP

[tdvit]

are you monitoring priviate addresses in the DMZ?

[tgumpper]

yes. DMZ devices have private IPs.

[tdvit]

then my advice would be to put static nats on the devices through smartdashboard and monitor the external addresses. That should do the trick for you. Just make sure you tie the rule down so only snmp traps can reach them.

[tgumpper]

Why woyuld I ever give internal switches external IP addresses?

Let me clarify the network architecture further.

LAN|---|eth1 FW A eth2|---|DMZ|---|InternetFW1|--ISP1

LAN|---|eth1 FW B eth2|---|DMZ|---|InternetFW2|--ISP2

[tdvit]

normally you wouldnt but I dont see what else you can do. as your nokia nokia cluster is load sharing the route the packets take change all the time.

what sort of switches are they and are they holding a lot of config?