Re: Loosing states on clustered firewall

Fri, 03 Oct 2008 07:51:10 -0700 

On 2008-10-03, Marco Matarazzo <[EMAIL PROTECTED]> wrote:
> Hi Stuart,
>
>
> On Fri, Oct 3, 2008 at 1:46 PM, Stuart Henderson <[EMAIL PROTECTED]>wrote:
>
>> On 2008-10-03, Marco Matarazzo <[EMAIL PROTECTED]> wrote:
>> > Communication between vlan[1-3] and vlan[4-6] fails, because traffic
>> > originating from i.e. vlan1 and going to vlan4 does not get routed to
>> FW2,
>> > but remains on FW1 (since the vlan being up creates the local route, even
>> if
>> > the corresponding carp interface is down).
>>
>> You could try only having an address on the carp interfaces, not the
>> vlan interfaces, then use OSPF to announce to the other firewall...
>>
>
> I'm actually already using OSPF to announce the routes to the border routers
> which in turn use eBGP to the upstreams and iBGP between them.The firewalls
> are also using ospf between them. In the past I tried to setup the vlans
> without an address (it'd be very convenient too, since I'd not lose two more
> addresses per vlan!) but then had problems with ospf which refused to
> announce the routes, and always had the feeling that it was not supported.
> If that works, it would resolve all my problems! I'm going to experiment
> with it! ;)


Make sure you announce the carp interfaces, not the vlans, in ospfd.conf.
Something like this..

# areas
area 0.0.0.0 {
        interface vlan701 {
                demote carp
        }
        interface carp80:80.253.102.81 { passive } ## on vlan80
        interface carp193:195.95.187.193 { passive } ## on vlan80
        interface carp72 { passive } ## on vlan72
        interface carp42 { passive } ## on vlan42
        interface carp43 { passive } ## on vlan43
        interface carp209 { passive } ## on vlan209
        interface carp168 { passive } ## on vlan168
        interface carp169 { passive } ## on vlan169
#       interface gif0 { metric 200 } ## adsl backup -> gr1
}

At least some of these carp interfaces have no address on the
parent vlan interface.

If you're reconfiguring a running system ("ospfctl reload") and not
running fairly recent -current, you may get bitten by interfaces that
are added at runtime (after ospfd was started); if that's the case
you need to shut down ospfd and reopen it otherwise it will fail to
pick up the new interfaces.

Reply via email to