Peter Addy <[email protected]> wrote: > > > does anyone know why my firewalls would say active active in a vrrp > > configured set up
As others have said, this is because Checkpoint does not know the master/backup state of VRRP; that is managed by the OS, so Checkpoint goes active/active so that it can be ready to direct traffic if it should suddenly show up due to a VRRP event. > there is one interface which always appears to be in master when it > should be in backup This happens when the interface cannot "hear" the VRRP announcements coming from the other firewall. It will think the other master is dead, and assume master for itself. However, this sounds like an incorrect VRRP design with separate VRRP grouping for each interface. Normally all interfaces would need to be grouped together, so that if one interface fails, all of them fail together so that the other firewall takes over all traffic. > this is an interface which has two networks assigned to it, but is ok > on the master and show in master, there is two backup addresses to > this interface In older versions of IPSO, I have run into many problems trying to assign VRRP to two networks on the same interface. What I found worked best was to assign only one VRRP config and use proxy-arp with the virtual MAC to manage the secondary IP. This was much more stable. > also should cphaprob stat show active/active or active/backup. in > VRRP i can't recall You will always see cphaprob show active/active with a Nokia VRRP config. > finally an issue we have had is that all works ok, however when we > change the VRID to 3 from 1 on both firewalls , then a problem ocurrs, > so we then change the VRID back to 1 and all works fine, so i'm > thinking is this the firewall or switches or even the load balancers > we have? It sounds like you have other devices also using VRRP with router id 1; if they conflict you will create many problems. Use tcpdump on Nokia to detect what other devices are sending VRRP packets if you are not sure where they come from. -- David DeSimone == Network Admin == [email protected] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
