Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
2
Replies

Cisco Cat6500 & Nokia IP530 Clustering Issues

swatkins
Level 1
Level 1

‎04-22-2010 02:56 AM - edited ‎03-11-2019 10:36 AM

Hi,

We have two sites connected via a 1Gb trunk. There is a cluster of Nokia IP530 firewalls, split between the two site. Everything was working fine until the core switches were changed out on one of the sites (went from a Cisco 4507 to Cat6500 with Sup720).

Since the change, both firewall think they are the "Master". We have verrified L2 & L3 conenctivity - all looks ok.

We moved the Nokia off the 6500 and moved it to the same site as the other Nokia (these sit on Cisco 4506E with Sup6)....clustering works fine when they are on the same site.

Here the general port configuration that works on the 4506E

!
interface GigabitEthernet6/46
description TEMP_NOKIA_HB
switchport access vlan 202
switchport mode access
switchport nonegotiate
speed 100
duplex full
spanning-tree portfast
!

On the Cisco 6500, we are using the following general configuration....

!

interface GigabitEthernet8/47
description NOKIA_HB
switchport
switchport access vlan 202
switchport mode access
switchport nonegotiate
speed 100
duplex full
spanning-tree portfast edge
end

I believe that both the firewalls are set to use Unicast for clustering, however when I put a sniffer on the directly on the FW Heart Beat port, I noticed alot of Multicast traffic... On both sites, the port connecting to the Nokia Heartbeat port is receining M/cast traffic.

We've moved the firewalls back into one site to maintain redundancy.

My next step is to put a sniffer on the one segment to view a "normal" cluster establishment.

Does anyone have any insights in regard to this issue?

Thanks

Simon

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎04-22-2010 04:50 AM

Simon

Are the 2 firewalls in the same vlan ? If so and they are multicasting have a look at the attached doc which covers a common multicast issue when source and receivers are on different switches.

Jon

Preview file
24 KB
0 Helpful

swatkins
Level 1
Level 1
In response to Jon Marshall

‎04-22-2010 05:10 AM

Jon,

Yes the Nokia Heart Beat interfaces are in the same L2 VLAN.

Thanks for the information - will review and post up the results.

Regards


Simon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card