Hi Many thanks for this, just tried doing this and turned on the Monitor Firewall State and then again the primary went into backup, the secondary still in backup also, disabled the Monitor Firewall State: [input] Disabled [input] Enabled And the primary regains as master, ? I have set the rule and checked the sync ip is not in the cluster topo and also in 3rd party all 3 check boxes unchecked, aparently cpha stat shows both modules as down??? Thanks
Thorsten Behrens <[EMAIL PROTECTED]> wrote: R55 VRRP rules are not like FP3 VRRP rules. You need to set your cluster object correctly, set the rule, then push policy. In Cluster object: - 3rd party set to HA Nokia VRRP, all 3 checkboxes _unchecked_ - Member topology, all interfaces that are VRRPed set to Clustered. Note: This means the sync interface must not be set to clustered. - Cluster topology, create entries for all VRRP IPs. Naming is not critical; we use ifname-c0-vip - Synchronization checked, make sure the name and ip of the sync network is unique across all clusters on this management station Rule: Source Cluster-Object Destination 224.0.0.18 Service vrrp / igmp Action Accept Track None And push policy. Now go buy support from us or something because we rock :) Regards Thorsten Behrens SMC Supervisor / Senior Security Engineer CCMSE CCSE+ CCNA INTEGRALIS Your Trusted Security Partner 111 Founders Plaza 13th Floor East Hartford, CT 06108 USA Tel: +1 860 291 0851 x 2244 Fax: +1 860 291 0847 [EMAIL PROTECTED] www.integralis.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Peter Addy Sent: Thursday, June 01, 2006 4:03 PM To: [email protected] Subject: [FW-1] HELP PLEASE !!!!! Running Nokia IPSO 3.9 and Checkpoint NGAI R55 Hi Please help! ,this is a live environment without redundancy ! Previous configuration Nokia IPSO 3.6 and Checkpoint FP3 Upgraded to IPSO 3.9 and NGAI R55, HAF_17 performing "new install" running both on Nokia IP740 Upgrade went fine on one device however when coming to failover this would not take effect, downed quite a few interfaces on primary to failover but no VRRP advertisements seen on Secondary ???? "cpstop" on primary does not perform failover to secondary ?? Also looking at the CPHA doing cphaprob stat this shows one active and one down on both modules. After disabling an interface on the primary the command "sh vrrp " just shows 1 less interface in master state ???? Decided to upgrade primary to IPSO 3.6 and NGAI R55, thinking this would resolve the problem. Disabled VRRP preempt mode on both Nokias and tested failover, still not working and both devices went into backup, help !!! Managed to get the primary back to master by turning the "firewall monitor" off in the VRRP section in voyager, checked the Checkpoint policy and all seems ok, pushed policy ok, selecting cluster device as NGAI. current status primary as master and secondary as backup, failover not working and no idea why cpha shows one active and one down? VRRP all checked, is their fundamentally something wrong here, i'm i missing something !! has anyone come across this before? Your help is most appreciated Thanks __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
