Search:

Hi all,

We all know there are several times in which when policies are intalled on a cluster members may leave and join or fail over. What we usually do on those cases was to increase the fwd and...

Thanks serlud,

Where can i found in dicumentation what you state about machines being the exactly the same?

Hi

This is a simple question but I didnt found the answer in the documentation. Is it possible to have 2 members of a VSX cluster with different HW.

Ex: An IAS m8 Appliance and a VSX-1 9070?
...

Looka at this

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34203&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security
...

You can just change the sync interface in that fw and modify the topology. It is not necessary to make any change on the other FWs.

Yes that sk worked some time ago for. But guess what. It was not fixed for ADP cards, wich we gave on the original client.

Checkpoint gave us a new IPSO were still testing. It appears to be...

Hi, your question is not clear. But look at Hash Selection on the Cluster config guide. This may be what youre looking for.

Also use static work asignment.

As a test I will try to change the phisical interface, in the Nokia and in the switch.

I think you are missing the configuration on the VIPs on the topology. You can try to configure them by making a get topology or just enter them Manually. Interfaces must be defined as cluster...

What is the output of the fw ctl pstat co.mmand? Did you checked errors on the Checkpoint sync interface,plaese attach the output of netstat -i for that interface

NAT is involved in this VPNs. Do you have any sk number or something I can make reference to when opening a ticket with tha TAC?

Interensitng, will check if NAT is involved. Please keep me updates of how thing go with the patch. Are you using IP platforms?

Hi all

We had two past cases in wich some VPNs with third party failed when Policies were pushed. After a lot of troubleshoting and testing, we disabled the SecureXL and the problem never happened...

Hi,

We has an IPSO cluster with interfaces on 100FD wich showed aroun 25000 concurrent connections. We changed it by another cluster with interfaces on 1000FD, we are now seeing around 100000...

Hi Pierre,

There are Kernel Fixes for IPSO 6.1 and 6.2? Is checkpoint going to release a fixed build?

I really hope this solve the problem!! That will be great

Thanks

Hi,

Unicast or multicast is not an option for us because of routers and switches. Our workaround is to work on the new Active-Standby mode.

Regards

We have 2 different tickets with Checkpoint for this(have the problem in 3 diferent clusters)....nothing at all...we allready replicated the problem in a lab enviroment. But nothing from Checkpoint....

No one with a cluster working on IPSO 6.1 or above?

Hi:

Please run a fw monitor, the problem could be on the response packet.

ifconfig -a on the master node ( In IP Clustering) after clustermac

Hi,

Anyone with an IPSO Cluster in 6.1 or above (forwarding mode-load balancing) working fine? Did you made any adjustments?

Regards

Hi all,

About 7 months ago we put in production our first IP2450 Cluster. We are using IPSO 6.1 and NGX R65 for IPSO6 the members have ADP cards. We replaced an old IP 740 Cluster in forwarding...

Hi, for your information.....we were using the default Smart defense template. We disabled almost everything in smart defense, and failovers and crashes stopped. Actually the VSX Cluster is working...

Hi,

Recently we tried to put in production a VSX NGX R65 Cluster on SPLAT. We had problems because members started meking failover and some times freeze or crash.

MGCP traffic is passing...

Sisu-up

Thanks for your answer. I have two questions.

1 Can yo clarify to me what is the FCS dhrelay?
2. The actual FW Cluster that is in production(the one thats being replaced by the VSX...

Hi I want to configure dhcp relay on a NGX R65 VSX cluster, Ive seen some people talking about nating, other sk talking about modifing some files.

Someone can help me with the steps for...

Hi,

Havent found anything yet on this and thats why Im asking.

What will happen with the Nokia certification carreer? Ex NSA etc...

HIgh were managing a gateway from a Smart Center Server through the Internet. We managed to establish SIC and install policies but there are not any logs from that gateway on the tracker. What can we...

Hi, Im installing CP standalone NGX R65(also tried R60 with the same problem) and it installs succesfully but when we reboot the machine after installation we got the error.

configuring IPv4...

Hello had you applied the patch after HFA_02? If not you will have to apply it as stated in sk33821.

If you have the 192.168.1.0 defined in your internal network you will have 1 of 2 problems, traffic from the vpn client blocked by anti-spoofing or asymetric routing.

Solution, use office mode...

Weve got a good experience using ospf with one of our clients using Nokia and Crossbeam, 7 Nokia clusters and 1 cluster over crossbeam all using ospf at this moment over NGX R60 Hfa_05. No problems...

Yes you cannot manage your gateways on R65 if your SCS is R62, you will have to migrate first your management server. This is a must, there is no option.

You can disable Smart defense in the gateway object by checking do not apply smart defense on this gateway under smart defense.

The ping issue can be related to this: sk26874. The fw monitoring is telling that the fw check is not passing, you can check what is failing by running the cphaprob list command.

Ok, thanks for the info. The workaround is not working for me :(.

Hi:

We have a pair of Nokia IP560 in simplified mode vrrp, a week ago we upgraded to NGX R65 (from R62) and applied hfa_02. Now the vpn tu command is not working fine, if i try to delete the SA`s...

Hi there, I have a very similar problem Cluster in VRRP Nokia IP560. When policies are applied (not all the times) some VPN may fail(randomly), the only way to make them work again is to make a...

you should review the tables on both members using the fw tab -t connections -s comman. If the Vals number are very different that will show a problem in the sync, try using a dedicated interface for...

One explanation can be that you applied different HFA 02 for R65 on the management and module.
The first HFA_02 that checkpoint released had the bug, few days after that they released another HFA_02...

It is not possible using only 1 IP the minumum will be 2 IPs using VRRPv2.

Hi, you can use the backup command that will take all of the OS (routes, ip addresses....) information and the Checkpoint configuration.

You can also use the snapshot command that will take a...

Yes it does. It takes all the OS info including the static routes.

Hi, is this a stand alone or just the gateway?

In unicast you will have to put the MAC of each of the modules. In mulicast you wiil have to use the multicast MAC.

Regards

Hi to all, have yo used objectfiller from martin hoz? I´ve used it for recreating a SCS and work well, in the documentation it says that you can rebuild your SCS(at least get the objects and rules!!)...

With the Nokias you dont have to use ClusterXL just VRRP or IpClustering.

What kind of VRRP are you using? IPSO versions? What is the output of
cphaprob list on both members?

I agree, I can even say Nokia directly recommended to downgrade in one of our implementations. We have a problem with a 560 IPSO 4.2 crashing(about one time a month) and havent found a good answer...

You should check routing in your boxes. You can use the fwmonitor on your nodes to look were are packets getting in and out of your FW. Syntax should be like this:

fw monitor -e "accept...

Hi you can get the voyager reference guide for your IPSO version from Nokia site. There is a good explanation about all kind of VRRP.

If youre using simplified mode you will only have to get your gateways out of the communities, and disable VPN rules. After the fwm sic_reset just include the gateways in the communities and enable...

Take a look at this resolution #skI3301 in wich it is explained how to use dbedit or Guidbedit to make changes to the objects_5_0.C file. I recommend using GUIdbedit, you can find the application in...

How are you changing that value?

Are you using GUIdbeit?

You will have to upgrade the securemote licenses also.

Yes Im not sure that would be the words, but Im reffering to the IP of the client running the secureremote.

Does the Native secureremote IP overlaps with your network? This may result in assimetric routing, although you see packets accepted in the logs the responses will never get back to the client. You...

Hi actually this procedure is used when the password is lost. If you knew it you could change using voyager. There is indeed one correction that has to be made.

Depending of the IPSO version youre...

What i like about IPclustering is that you have the chance to make changes through cadmin in both members at the same time. Some of our clients have problems in Failover because of missing routes or...

Here is the solutiom just in case.

108

There is one part you should correct where it says:

NokiaIPxxx>set user cadmin oldpass " newpass password

should be
NokiaIPxxx>set user cadmin...

Have you tried this resolution? 1129558 on Nokia site?

https://infocenter.knowledge.nokia.com/InfoCenter/index?page=content&id=1129558&actp=search


Done it once and worked, because you have...

We are a checkpoint partner so we have support direct with checkpoint. Most of companies here have support with us.

Regards

Just after you install your SCS it wiill ask you if you want to create an admin account, you must create it and assing a password(also include the GUI clients as needed). You have to log with this...

How was your install process? As the readme states if you install this build of IPSO 4.2 from boot manager on a platform running IPSO 4.1 build 16 or 19 it might repeatedly panic and reboot.

If...

OK MCNallym thanks for making that clear to me.

MMMM not pretty sure for 350, if Im not bad we did replace a 350 disk with one that didnt came from NOkia.

Im sure in the 710 it will get into boot manager even if there is not disk inside....

Thanks for your answer.

Allready opened a ticket with CP. They told to upgrade to R65 or Downgrade(were in R61) to R60 HFA 04 and apply voip_hotfix_02. Think we better upgrade to R65.

Hi. just to make clear something I read. Boot manager doesnt come in the disk. It comes in a local memory in the Nokia apliance (for some legacy appliance like the 440 you had to use a start up disk)...

It should work without problem no matter if boxes are different. It will also work in IP clustering thats what performance rating is for.

We have several clusters of IP710 and IP380 in IPclusterin...

This is how i would do it.

First take some Backups

1. Define the phisical interfaces on both members.
2. Connect them to the switch for them to have link.
3. Define the VRRP interface in the...

Wich mode of HA are you using?

In the simplified mode VRRP you will have the same MAC for all the VIPs(as you call them) by default, but you can define specific MACs for each of the VIPs. ON all...

Have had the users problems in some cases. We solved it using fwm dbexport before upgrading. Then manually create user groups and use fwm dbimport.
Had also lost the pre shared secrets, we had to...

Sorry if you alredy did but. Did you add the nated address to your encryption domain?.

IPSO 3.8 uses a special wrapper called R55p and the latest hotfix for it is HFA_09 for R55p. Its always better to have the latest HFA (and IPSO build)applied to your platform. Already applied HFA 09...

Number of connections will depend of the amount of traffic you have. What helps you check sync between node is comparing those numbers, they have to be very similar in both nodes but may have a...

Hi,

Were implementing a new net for VoIP using call manager 5.1.2, we have the following error and the packet is droppedwhen the client register:

Information: reason: Unknown SCCP message...

Is HFA 01 for R61 already applied? There is an issue with the new UTM licenses with are not recognized in R61 without HFAs. If this is the case you will have to apply HFA 01 and then attach the...

This message usually says that the Checkpoint versions are diferent on the members. Also chek the IPSO versions and builds, you can use the fw ver on both members and compare.

Maybe there was...

Hi,

Allready put it in production a week ago, with the latest build of 4.2. We used simplified VRRP, and it is working fine to the moment.

Hi all, Im installing a new FW(two nodes in in VRRP) with ISPO 4.2 and NGX R62, I had some problems when deleting configuration and then creating it again.

I wonder if any of you has expirience...