-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have set up the synchronized feature and found the same sort
of message in my logs. I just went ahead and tested them, and
found the feature to work. If you're "out" for long periods of
time, I would be inclined to sample that firewall-sync network
to see what's going on.
In my implementation, I had the same networks attached to both
machines and had one "master" the other to ensure identical rule
sets for them. I ran the sync traffic over one of the operational
networks ( one with physical security associated with it, internal
to my networks ).
It was quite a nice surprise to see it work. I hear that it's not
a bad idea to reboot the machines periodically and flush the state
tables in the process (remove everything in ${FWDIR}/state/ )..
Particularly if you are in the habit of connecting to a unix
security module from Win95/WinNT clients.
At 09:28 AM 9/30/97 -0700, you wrote:
>I am attempting to utilize the synchronization capabilities of FW1
ver
>3.0b to implement "high-availability" and I am running into a
problem.
>
>I have two HPUX C100's configured identically. Installed are a total
of
>four network interfaces in each.
>
> Interface 1: to the Internet
> Interface 2: to the intranet
> Interface 3: to the DMZ
> Interface 4: to the "firewall sync network"
>
>
>The firewall sync network only has the two firewalls on it, I am
using a
>non-internet routable "test" range to address that segment. The
>firewalls each have an entry in the /etc/fw/conf/sync.conf file
>pointing to their counterpart.
>
>Here is the problem:
>
>I am continuously seeing a "Got Connection from firewall-1"
>then immediately seeing a "End Connection from firewall-1"
>
>These messages appear simultaneously on both firewall consoles.
Logs
>appear to be shared, but state tables only seem to be shared part of
the
>time.
>
>Checkpoint suggested that if the two machines system clocks were
more
>than 5 seconds out of synchronization that it could cause this
problem.
>We set the clocks to the same time, and tested, still no luck. We
even
>installed ntp between them and it did not change the results.
>
>
> Anyone have any ideas?
>
>
>- - -/ W. Ian Schlueter ian .
schlueter @
avnet .
com
>- - / Project Manager, Global Internet/intranet support
>- -/ Avnet, Inc. Chandler, AZ
>- / (602) 940-5977
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNDKojDMEsrBG2tSvEQIdGACaA9IfXOZErVE5hln7lg8AXpYqD78AoLkL
eP9CJ/CL8cSDqxoZQzffMDJM
=kS7z
-----END PGP SIGNATURE-----
---------------------------------------------------------
Scot Anderson | Voice: 703-383-7950 | www.btg.com/[~scot]
|
|
