Hi all
I've just spent many long hours fighting with CPHA at a customer site only
to be told this morning that CPHA does not operate with Ethernet switches.
System Descr: (2 of)
Sun E220R
Solaris 2.7
CP4.1 SP2 with HA
5 network interfaces (4 in HA mode, one for mgmt/sync)
Now the HA function operates as one would expect. One machine is active and
one is standby. Pull a network cable and they swap roles. Its 12:30am and
life is looking sweet.
Oh! what is all this packet loss (56% of pings disappearing).
testing....debugging....tcpdump-ing...3:00am...
Observation: The "standby" box is allowing a box on one of the HA segments
to pass a packet which then causes the switch to frob (technical term) with
its mac-2-port table which then directs the reply packets back at the
"standby" firewall that then decides not to pass the packets. Change the
Ethernet switch to a hub and the packet loss goes away. Now when I say the
"standby" is passing packets I am just talking about the odd ICMP Echo
Request - 99.5% of the actual application traffic is going via the active
box. Unfortunately the number of these ICMP Echo Requests is enough to cause
grief (SSH sessions become unusable for example) - they use NetSaint or
something like that to monitor various services.
Has anyone else seen this type of behaviour? Has anyone been told
explicitly that they *must* use hubs for CPHA?
We are now considering Stonebeat - I recommended it in the first place :-(
Of course I now need to know whether it is happy in a switched Ethernet
environment.
Comments please.
Thanks
-Cameron
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
