1) Interface by interface, it does not seem to make a difference. 2) Ran out of Ethernet ports. I may have to rectify this.
> -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Eugeniu Patrascu > Sent: Tuesday, September 16, 2008 12:40 PM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] ClusterXL sync not happening > > East, Bill wrote: > > Replaced our previous firewall with a pair of IBM 3650s > running SPLAT. > > The management console is installed on a third Windows > server inside > > the network. I'm 95% happy with the install, failover even > works, but > > state synchronization does not. > > > > The configuration is one external interface on each, plus > one internal > > interface set in the cluster object as "Cluster + 1st sync." After > > some reading I made sure that the sync type was multicast > and added a > > rule to allow TCP FIBMGR traffic from the three hosts to each other > > (SRC: fw1, fw2, mgmt; DST fw1, fw2, mgmt; SVC: FIBMGR). I > see in the > > logs that this rule is being hit. > > > > cphaprob state shows > > Cluster Mode: New High Availability (Active Up) > > > > Number Unique Address Assigned Load State > > 1 200.1.1.22 100% Active > > 2 (local) 200.1.1.23 0% Down > > > > One funny thing, if I look at the logs I'll see > > Action: Drop SVC: FW1 SRC: [NAT address for internal net] DST: > > [firewall internal address] Message info: Address spoofing. > > and also > > Action: Drop SVC: FIBMGR SRC:[NAT address for internal net] DST: > > [firewall internal address] Message info: Address spoofing. > > > > Could it be trying to send the information over the > external, non-sync > > interface? > > > > Please let me know what other information might be useful. > This is my > > first clustering attempt so my ignorance is even less bounded than > > usual. > > > > > First make sure your antispoofing settings are ok. One quick > way to do this is to disable antisppofing completely and then > enable interface by interface basis. > Second: is there a valid reason why you did not use another > ethernet port on the firewall as a dedicated SYNC ? > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > ______________________________________________________________________ > This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
