Hi Just noticed that my vrrp sync network was in the cluster topo, all ok now cheers to all
"Concepcion, Juan" <[EMAIL PROTECTED]> wrote: When you are doing a cphaprob stat both of your firewalls should show up as active. There seems to be an issue with your firewalls communicating on the sync net. Juan -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Addy Sent: Monday, June 05, 2006 7:43 AM To: [email protected] Subject: Re: [FW-1] connection synching Hi I have a similar issuer, however my primary shows down when i do cpharprob stat, the secondary is active. Failover does not appear to work, if i enable the firewall monitoer connections on the priimary this then goes to backup state, turn it off and it becomes master again, ??? Tried to do a cpresart but does not solve the problem, all interfaces appear to be ok and the sync network is not in the cluster topology. Not really sure of what the answer is here or what else to look at, if any one has any idea or has come across this issue before then please be kind enlough to let me know :) Thanks cisco4ng wrote: Nick, I think it is best that I give you an example. Below is a configuration of a pair of Nokia IP530s in vrrp cluster running NG with AI R55w and HFA_04. If your firewall looks different than this, it means that something is wrong. Pay special attention to the "cphaprob state" output. Let me know if you have questions. Checkpoint-NG-1-P[admin]# iclid Checkpoint-NG-1-P> sh vrrp VRRP State Flags: On,LocalReceive 10s coldstart delay (completed) 10 interface enabled 10 virtual routers configured 0 in Init state 0 in Backup state 10 in Master state Checkpoint-NG-1-P> exit Bye. Checkpoint-NG-1-P[admin]# Checkpoint-NG-1-P[admin]# cphaprob state Working mode: Service Number Unique Address State 1 (local) 192.168.1.1 active 2 192.168.1.2 active Checkpoint-NG-1-P[admin]# ------------------------------ Checkpoint-NG-1-S[admin]# iclid Checkpoint-NG-1-S> sh vrrp VRRP State Flags: On,LocalReceive 10s coldstart delay (completed) 10 interface enabled 10 virtual routers configured 0 in Init state 10 in Backup state 0 in Master state Checkpoint-NG-1-S> exit Bye. Checkpoint-NG-1-S[admin]# cphaprob state Working mode: Service Number Unique Address State 1 192.168.1.1 active 2 (local) 192.168.1.2 active Checkpoint-NG-1-S[admin]# Nick Whitworth wrote: Thanks for the reply. Show vrrp shows what I'd expect. On the master, cphaprob state shows firewall state down. On the backup, firewall state is active. Is this what you'd expect? Thanks -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: 04 June 2006 21:45 To: [email protected] Subject: Re: [FW-1] connection synching Nick, If they both have the same # connections, it means that you're in trouble. Because you're running VRRP cluster, the standby will have almost zero connections (34 connections is mainly administrative connections from the SmartCenter and from Active firewall). To make sure that your cluster is functioning properly, you need to the following: 1) On the nokia IP530s, do "iclid" and "show vrrp", you should see all masters on the Active nokia and all backups on the standby nokia, 2) do a "cphaprob state" on both the nokia and you will see both "active/active". If both nokias meet the above requirements, life is good. Nick Whitworth wrote: Hi, We have a pair of ip 530s in a vrrp cluster. I have used the fw tab -t connections -s command to see if they are synching properly. The active cluster member is showing 622 connections but the backup member is showing 34 connections. Any idea how can I get them in synch? They have both been rebooted already. Thanks, ______________________________________________ Nick Whitworth - Systems Specialist t +44 (0) 1483 816712 | m +44 (0) 7946 520697 | f +44 (0) 1483 816545 a Detica | Surrey Research Park | Guildford | GU2 7YP | UK ______________________________________________ www.detica.com This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies. Detica Limited is registered in England under No: 1337451. Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
