PDA

View Full Version : NGX R60 upgrade and Edge Wan HA help



greyfeld
2006-08-07, 18:06
I am in the process of evaluating a Crossbeam C25. It was running NGX so I needed to update my test lab SmartCenter Server to NGX as well. After accomplishing this (may detail those issues later) and getting the object for the new firewall created, I tried to push an existing policy to the new firewall. When it tries to verify the policy and write out the new .pf file, it fails with error: stub identifier (vpn_enc_domain) "ip addresses" redefined. There are several of these error messages.

Looking at the .pf file, I can see what is happening. We have created a couple of remote Edge Wan HA configurations. In these configurations, I have set up two Edge boxes with the same internet facing IP address through which we manage the boxes. I also have an object for each of these in the firewall since they have different MAC addresses, license numbers, etc. but both have the same IP address for their object. When NGX is creating the policy file for the Crossbeam, it is creating these stub identifiers for each firewall and there are two entries, Edge1a and Edge1b, with the same IP address. Pushing the policy fails everytime as it chokes when it verifies the lines where Edge1b's entries are.

Does anyone know how to get around this problem? Thanks for you help!

greyfeld
2006-08-08, 14:40
Ok, here's some more specific information since no one has responded yet. Hopefully, this will spark someone's memory.

As stated before, this test environment has a Crossbeam C25 and a Solaris 8 SmartCenter Server. The Crossbeam already had NGX R60 on it, but the SmartCenter was still on NG AI R55. The SmartCenter had most all of the objects and policies on it very similar to our production environment. This inculded three sets of VPN-1 Edge WAN HA pairs.

These pairs are configured to have the same WAN interface IP address that is connected to our WAN. There are numerous VLAN's on the DMZ port and failover on a port VLAN on one of the LAN interfaces. There are objects for each Edge device that have the same IP address on the SmartCenter. In NGAI R55, I would get a warning that another device had the same IP address when I saved changes to the object, but it didn't seem to have any effect on anything and it worked. They do not do any VPN either. Note that none of these actually exist in the test environment at this time. They are only objects in the SmartCenter.

After migrating from R55 to NGX R60 HFA3 on the SmartCenter, everything appeared to be fine. I configured the object for the Crossbeam box ok. I modified an existing object that we are going to replace with it and changed the IP address to be the management interface on the Crossbeam. So far, so good.
The problem arose when I tried to push an existing policy for the old firewall to the new one. The policy will verify ok, but fails on the installation with the following:

Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20399: ERROR: stab identifier <sr_enc_domain> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20400: ERROR: stab identifier <sr_enc_domain_valid> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20401: ERROR: stab identifier <vpn_enc_domain> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 20402: ERROR: stab identifier <vpn_enc_domain_valid> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21197: ERROR: stab identifier <vpn_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21200: ERROR: stab identifier <vpn_enable_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 21201: ERROR: stab identifier <vpn_enable_internet_routing> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 22060: ERROR: stab identifier <sdb_edge_clusters> for host XXX.XXX.XXX.251 redefined
Advanced Security NGX R60 "/opt/CPsuite-R60/fw1/conf/test_pol.pf", line 22144: ERROR: stab identifier <om_protected_group> for host XXX.XXX.XXX.251 redefined

The IP addresses correspond to the IP addresses of the Edge WAN HA pairs. It appears that it doesn't like the two Edge objects having the same IP address for management. I tried deleting two of the six Edge pairs and they no longer showed up in the error message. The problem is that they are that way in the production environment, so I need to figure out some way to make it work. Any suggestions? I can't find anything on this through Google, Checkpoint Knowledge Base or the user group forums. No, I don't have a support contract either. Thanks.

phatgreenbuds
2006-08-30, 11:25
i guess the first question is why are you using the same IP for each of the edge boxes? I have never used SMS...I manage all my boxes with the Provider-1 and LSM.

I have the C25's in my lab as well and they are being managed from the same lab manager that I test all my Edge boxes on with no issues. But then its not sms and I am not duplicating IP's.

greyfeld
2006-09-08, 15:34
According to the Edge High Availability setup documentation, if you want HA on the WAN side of the connection so you will not have to redirect traffic to a different IP address, you have to use the same IP address on both Edge boxes in the WAN HA arrangement.

The document from Sofaware showing how to do this is here:

http://server.iad.liveperson.net/hc/s-9995810/cmd/kbresource/kb-1059948087553319014/view_document!PAGETYPE?sq=high%2bavailability&sf=101113&sg=0&st=566752&documentid=57010&action=view

It shows that both IP addresses on the WAN side are the same. Apparently, NGX R60 SmartCenter Server doesn't like this because it chokes whenerever it tries to push a policy. Any help would be much appreciated as I've found nothing to address this anywhere on the net. Thanks.

phatgreenbuds
2006-09-08, 15:40
interesting...i have never read the docs. I have HA setup and running fine using a VIP address.