SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Hic · ‎12-01-2008

Hello,

Two firewalls SSG running ScreenOS v.6.1 are being configured in an active/passive cluster. Interface eth0/0 has as IP 192.168.1.1, management IP addresses are 192.168.1.2 and 192.168.1.3 for the first and second firewalls resp.

The clustering is OK. The issue is that the master can not firewall ping its cluster IP (192.168.1.1), while it can ping its management IP and that of the backup. Other device on the network can ping 192.168.1.1 and all management IP.

have you an Idea ?

On other firewalls -not the same config- the master can ping it's cluster IP..

We are troubleshooting a MAC issue on our network and this is a part of the troubleshooting.

Best Regards

srigelsford · ‎04-14-2008

In the gui, when you edit the interface, there is a tick box next to the IP labeled "manageable". Tick this.

set int ethernetx/x manage

Sam.

Hic · ‎12-01-2008

Hello,

Manage and ping already enabled.

Any other thought ?

Reagrds

SSHSSH · ‎11-21-2009

Do the Following :

Login to the Master CLI

undebug all

Clear debug

get ff ................. ensure that this output is empty & if not empty use " clear ff " many times till it is empty

set ff dst-ip [ ip you are trying to ping ]

debug flow basic

now , initiate ping & wait 3 sec

undebug all

get db st ..................paste that output

Hic · ‎12-01-2008

Hello,

Thanks for your reply

Already did debug but it doesn't shwo any output, blow are some outputs ( I did the same senario on another firewall):

SSG350M-> get conf | i manageable
set interface ethernet0/2 ip manageable
SSG350M-> get i e0/2
Interface ethernet0/2:
description ethernet0/2
number 6, if_info 14448, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.1.1/24   mac 0023.9c78.0a06
manage ip 192.168.1.2, mac 0023.9c78.0a06
route-deny disable
pmtu-v4 disabled
ping enabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
NHRP disabled
bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
DHCP-Relay disabled at interface level
DHCP-server disabled
sw session infinity loop 0
Number of SW session: 128063, hw sess err cnt 0
SSG350M-> get ff
Flow filter based on:
id:0 dst ip 192.168.1.1
id:1 dst ip 192.168.1.2
SSG350M-> get debug
flow: basic
SSG350M-> ping 192.168.1.2
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=0/0/1 ms
SSG350M-> ping 192.168.1.1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds
.....
Success Rate is 0 percent (0/5)
SSG350M-> get db str
SSG350M-> get db str
SSG350M->

echidov · ‎11-02-2009

Hi,

Please attach the output of "get nsrp". I see that:

*ip 192.168.1.1/24 mac 0023.9c78.0a06
manage ip 192.168.1.2, mac 0023.9c78.0a06

The MAC 0023.9c78.0a06 does not look like a NSRP address. The prompt SSG350M-> should be SSG350M(M)-> on the Master and SSG350M(B)-> on the Backup.

Kind regards,

Edouard

Kind regards,
Edouard

SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Re: SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Re: SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Re: SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Re: SSG350 in A/P Cluster- Master not able to ping it's cluster IP.

Re: SSG350 in A/P Cluster- Master not able to ping it's cluster IP.