PDA

View Full Version : SmartProvisioning and static IP on EDGE



_MKrol_
2011-02-11, 05:45
Hi,

we just started tests of SmartProvisioning configuration. Previously we were managing EDGE`s from SCS in "traditional" way. My first impression is that when we use LSM every EDGE gateway is assumed as DAIP.
Is there any way to change it? We have for every EDGE static IP`s only - for us it`s better to add objects with static addreses but in LSM it seems to be impossible.

Another problem which I met with SmartProvisioning, EDGE`s and DAIP is tunnel_test in IPSEC. In such configuration our CO cluster stopped (it means that cluster is not even trying to send it) sending tunnel tests to EDGE`s. Other main features like connect to Service Center, policy push, ect. seems work well.

Do you have any ideas how we should deal with it?

securitynewbie
2011-02-14, 14:55
Hi,

we just started tests of SmartProvisioning configuration. Previously we were managing EDGE`s from SCS in "traditional" way. My first impression is that when we use LSM every EDGE gateway is assumed as DAIP.
Is there any way to change it? We have for every EDGE static IP`s only - for us it`s better to add objects with static addreses but in LSM it seems to be impossible.

Another problem which I met with SmartProvisioning, EDGE`s and DAIP is tunnel_test in IPSEC. In such configuration our CO cluster stopped (it means that cluster is not even trying to send it) sending tunnel tests to EDGE`s. Other main features like connect to Service Center, policy push, ect. seems work well.

Do you have any ideas how we should deal with it?

MKrol, I'm not sure I understand your question, but I'll take a stab at it....

From my understanding there isnt a way to assign a static IP for your edge devices in SmartProvisioning. SmartProvisioning retrieves the IP from the edge when it checks in to the scs. What I have done is created host objects with static IP's that represent the edge devices and group them so that only those IP's are permitted to access the scs. Now, there may be another way to do this but I have not heard about it.

Regarding the tunnel_test, I have noticed that I don't see them anymore like I did with the traditional setup. I too am curious to find out why that is or if it is happening and it's just not being logged.

_MKrol_
2011-02-14, 15:10
MKrol, I'm not sure I understand your question, but I'll take a stab at it....

From my understanding there isnt a way to assign a static IP for your edge devices in SmartProvisioning. SmartProvisioning retrieves the IP from the edge when it checks in to the scs. What I have done is created host objects with static IP's that represent the edge devices and group them so that only those IP's are permitted to access the scs. Now, there may be another way to do this but I have not heard about it.

Regarding the tunnel_test, I have noticed that I don't see them anymore like I did with the traditional setup. I too am curious to find out why that is or if it is happening and it's just not being logged.

Regarding static IP`s you understood my question well - I thought that there is some way to configure LSM EDGE object with static IP - but it seems that the way you have chosen is the right and only one.

Regarding tunnel_test - I found where is my mistake (similar problem is described somewhere on CPUG). We don`t use implied rules and because of that we should manually pass traffic not just for tunnel_test service but for tunnel_test_mapped. Tunnel test service is listening on management interface IP - using tunnel_test_mapped causes that tunnel_test traffic is automatically redirected to the right IP without using any maunal NAT`s and dynamic objects (we use cluster configuration). Interesting thing is that when using LSM EDGE`s objects - the devices are sending only one tunnel_test packet (after IPSEC tunnel establishing) and there is no such regular traffic (every 30 s) like with "static IP" configuration - but generally it works - permanent tunnel status in Smartview Monitor is UP.

Thank you for your help SecurityNewbie!