Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ibrown
Participant

NAT not being applied on one node of a cluster

Hello All,

I am in the process of trying to move our checkpoint infrastructure forward and as part of an upgrade i've got to deploy a pair of R77.30 gaia boxes and then move them and the management station up through the versions. Everything works except where the mgmt station talks to remote appliances it needs to do it via a routable address and is NATd to one in our external range via a manual nat rule, on node a, this works fine, on node b the NAT is not applied and the internal address is seen on the external interface. I've checked the ruleset, the install of the gaia servers and everything seems the same between both boxes, and the NAT rules are applied to the cluster object and yet they two nodes behave differently. They do both NAT other objects correctly, just not the mgmt station.

One the incorrect node CP tracker shows the NAT applying on the log, FW Monitor shows it not being applied.

 

Any ideas what might cause this or where to approach for debugging ?

Both HP physical servers, with a virtual management station on windows, both R77.30 HFA take 351. HP servers have all the latest firmware. The external interface is a vlan on a 10gb trunk to a switch, this is the only difference between the two servers as one sees it's card as eth7, one as eth9, but they are configured the same and in the same cluster nic on the cluster topology.

 

Many thanks

Ian

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

For management NAT to work properly, it should be configured on the management object itself versus a manual NAT rule.
Cluster members also need to have interfaces exactly the same as well (which means the eth7 versus eth9 thing should be addressed).

0 Kudos
the_rock
Legend
Legend

I get what you are saying, but I also get what @PhoneBoy mentioned as well. Interfaces should definitely match and yes, for NAT to be applied correctly for mgmt object, should be done as he said, as per below:

Screenshot_1.png

0 Kudos
ibrown
Participant

Thanks, and thanks to Phoneboy. I will change it to this, I think the manual NAT rule has historically been there. The interfaces move is more annoying as the servers are in a remote data center and intelligent hands are difficult to get to cable things when you cannot see the servers to know what slot they are doing!

0 Kudos
ibrown
Participant

Disappointly, changing the nat made no difference. It's really odd, it's only to one remote firewall it manages, not to anything else. I can see the nat being to applied to workstations behind the firewalls, and it works on the other node of the cluster pair.  I'll have to schedule a trip to the remote DC and sort the cards and see if it helps, though as the cluster addresses move ok, I cannot imagine it will.

0 Kudos
_Val_
Admin
Admin

R77.30 is out of support for ages.

0 Kudos
ibrown
Participant

I know.....! 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events