RE: Nokia IP 330's HA with VRRP problems

["Grabowski, David" <david.grabowski () us mizuho-sc com>]

> -----Original Message-----
> From: William Sykes [mailto:wsykes () deepnines com]
> Sent: Tuesday, November 25, 2003 11:19 AM
> To: security-basics () securityfocus com
> Subject: Nokia IP 330's HA with VRRP problems
>
>
> All, 
> I have a client that has two Nokia 330's in HA using VRRP NG FP3.
> When we pull the plug on the Primary and fail to the secondary
> everything works as as planned. The secondary begins to pass traffic.
>
> The problem occurs when the Primary is brought back online 
> (plugged in).
> The primary Firewall loses the ARP table, and no network traffic will
> pass.. 
>
> The fix we are using is to reboot both firewalls.
>
> Has anybody experienced this? or anything like it ?
> thanks

Are you simply pulling out a network cable or are you actually killing
power to the box?

In the case of killing power to the box, you may need to adjust the VRRP
coldstart delay so that the interfaces won't go out of the 'init' state
until a sufficient time has passed for other services (routing protocols
and FW-1 sync) have had time to configure properly.

In the case of simply pulling a network cable, perhaps you've got an
issue with your switch and MAC caching. The switch has no reason to
allow the VIP MAC to move to another port, because the old port still
has a valid link. To test this, try using hubs.

For more help, I'd suggest either the FW-1 mailing list hosted by
checkpoint, or the FW-1 Gurus mailing list hosted by Phoneboy.

-Dave
#####################################################################################
CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to 
buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments 
mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not 
disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise 
indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho 
Securities USA Inc.
     E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept 
liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
     Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We 
make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to 
ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent 
to and from our server(s).
#####################################################################################

---------------------------------------------------------------------------
----------------------------------------------------------------------------