Screen OS

Hi All

Can somone confirm what runs over the direct connection between two firewalls in a NSRP cluster.  IE is it nsrp info over ethernet or are the two netscreens directly communicating without running over ethernet ?  if they are running over ethernet is is possible to connect thm via a switch on the same vlan for instance?  Afaik I  know it isnt running over ethernet but a colleague just enquired and i thought i would double check my thoughts.

Thanks

/Mgk

Hi

Yes, you can connect the 2 FW via switch on the same vlan.

Do take note though that this vlan should be private to this NSRP cluster. If you are sharing this vlan with other NSRP cluster which has the same cluster ID, you could run into some issues.

Thanks.

Hi Mgk,

If you have a direct ethernet connection between the firewalls, and those interfaces belong to the HA zone,  then NSRP will be running over that. If you connect a switch between the NSRP connections, then you should enable HA-probe. Never use the Ha-probe feature unless you are connected via a switch. If you keep them in the same VLAN, then heartbeats will work fine. If you have two connections between the firewalls, control will run over one and data over the other.

The heartbeats don't use IP, instead the frame is sent over ethernet. When using a VLAN, the tag is added to the ethernet frame header. I hope this helps.

Regards

Andy

Hi

Thanks for the info there. Seems you answered my question 🙂

/Mgk