Hi I have a client with a Checkpoint Firewall (4.1 SP5) running on a Nokia platform (IPSO 3.4.1). The quad card installed in the Nokia has four ports each of which a Cisco Catalyst 3548XL switch is connected to. Simplest way I can describe the problem is this:
Network 10.0.5.X is connected to one port on the firewall and this network has basic LAN user types with workstations and laptops.
Network 10.0.6.X is connected to another port on the firewall and this network has several servers.
When workstations / laptops on 10.0.5.X move files to the servers, run applications that connect to services the servers are running, etc. network connectivity randomly drops.
So the users actually go through the firewall to get to the servers, but during all of this the policy between those two networks is allow any. Firewall logs indicate no drops, etc. Checkpoint is unawares of any issues on their end.
Cisco IOS is 12.0(5.3)WC(1) on the switches. The workstations are all Win2K.
I have looked at the Cisco interfaces and see no errors etc. Basically there are no errors to be seen anywhere except for the client stations that get Windows errors about network connectivity was lost etc. Any help is appreciated.
Hello and thanks. Port-fast is not enabled on the client ports. From what I read port-fast can be used to minimize delay. This particular set up does not seem to delay, it loses connectivity midways during file transfers and at other random times, but I will try enabling fast-port if that is recommended.
To find a link flap do you just look for error conditions blinking on the switch? And what about spanning tree and vlan? I am contracted to do firewall work and not terribly familiar with Cisco swithces =( Thanks again.
One more thing that was not mentioned. When only one person connected to the switch is actively using resources on the switch across the firewall, there seems to be no problem. As soon as another guy connects and starts working he has the problems as described. It seems to happen exactly like this no matter who "gains control" of the network. An exact scenario...
A DBA comes in really early every morning and beings work and has no problems. A few hours later the other guys come in and all of them complain of the problems.
If the DBA steps out for a substantial period of time, one of the other guys will not complain for a while about network connectivity then the DBA comes back and says he starts having the same problems.
Did not mention this earlier because I thought it could add to the confusion, but maybe it is important info. Thanks once again.
Have you checked the IP configurations on the workstations? Are their IP addresses static or dynamic, is default gateway OK, subnet mask correct, etc....?
I would try switch one PC on and start Ping -t to the server. If it works OK, add another PC and ping -t to the same server, etc, etc.
If several PCs continue ping OK, then the fault is not on switches.
I've noticed a similar problem in the past and the problem was a lack of application licenses. But you would receive some message in that case...
Don't you see any message on the switch console at the moment the connection fails? Are you able to ping locally (from the PC whose connection to the server failed to the other PCs connected to the same switch) at that moment?
I have to agree that it does not look like a Cisco problem. One thing you may want to check on the Checkpoint is the NAT for the subnets in question. If you have hide NAT enabled for the subnet, it's possible that you may fix the problem by creating a rule under the FW1 NAT tab that says SourceNet to DestinationNet = original Also, try logging the rule that you have set up to allow these networks to talk to one another along with logging the inherent rules to see if you can see conversations in both directions paying special attention to source and destination IP's. On more than 1 occasion, I've found packets being dropped on rule 0 by FW1
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...