Management server behind another NGX FW

[nsiddiqi]

I am configuring internal FWs for my client. The way it is configured is that two NGX are cluster A, on one subnet the interfaces were aggregated and then a VLAN with the IP 10.87.1.40 (Cluster IP) was set. On the other interface no VLAN but an IP of 10.87.244.40 was set.

On the 10.87.244.0 subnet two more NGX FW are installed as cluster B with the IP 10.87.244.10. The two clusters are connected via switch on 10.87.244.0 subnet.
Now from the cluster B I am able to ping all the interfaces of cluster A but not able to ping the router interface on 10.87.1.0 subnet nor the management server with IP 10.87.1.50. Same results from the other side that I can ping all the interface of cluster A but not B.
What I need to do so that the router on subnet 10.87.1.0 start pinging the firewall interfaces of cluster B, which is behind firewall cluster A?
After it start communicating what ports should I open on cluster A so that the management station can create a secure channel with cluster B firewalls?

[dondma]

Make sure the firewalls are not dropping the traffic due to spoofing. From each cluster object check the interfaces and spoofing settings. If necessary, create groups containing all the networks that can be seen behind each interface including those that extend beyond the other firewall cluster.

Example:

[Networks A, B]
|
|
[Cluster A]
|
|
[10.87.244.0/24 network]
|
|
[Cluster B]
|
|
[Networks C, D, E]

Spoofing setup -
Cluster A upper interface - Networks A, B
Cluster A 10.87.244.0 interface - Networks 10.87.244.0, C, D, and E
Cluster B 10.87.244.0 interface - Networks 10.87.244.0, A and B
Cluster B lower interface - Networks C,D, and E

D

[northlandboy]

When pings are failing, have you dug into where it is going wrong? Does the router have the right routes? And cluster B, does it have a route via cluster A?

What do your routing tables tell you? Are all devices seeing ARP entries for each other correctly?

Is this a Nokia cluster? Have you configured the Nokias to receive a multicast MAC reply? Your router may also need a static entry. Same with the switches.

What does tcpdump tell you? Where are the packets going?

Standard stuff for troubleshooting really - if you can't ping something (assuming you allow it), then you need to trace the path through the network, find out what is happening to your packets.

As for what traffic you need to allow through, take a look at the implied rules for an idea.

[nsiddiqi]

Thanks
After creating the groups of networks and redefining the spoofing now the management server sees the Cluster B