I have an issue that I cannot find a solution for, so I thought I would post here.
The scenario:
Data center #1: Two IP560 firewalls. Interface eth-s1p1c0 configured on both devices with 28 bit mask. VRRP configured.
Data center #2: Two IP297 firewalls. Interface eths1c0 configured on both devices with 28 bit mask. VRRP configured.
IP560#1 is connected to IP297#1 (Call this LINK#1)
IP560#2 is connected to IP297#2 (Call this LINK#2)
IP Schema goes something like this:
192.168.1.0/28
192.168.1.1 - IP560#1, eth-s1p1c0
192.168.1.2 - IP560#2, eth-s1p1c0
192.168.1.3 - IP560-VRRP
192.168.1.4 - IP297#1, eths1c0
192.168.1.5 - IP297#2, eths1c0
192.168.1.6 - IP297-VRRP
Normal routing is IP560#1 to IP297#1 across LINK#1 and during failure, fails over to the other box using VRRP.
The problem I am seeing is when I attempt to manage IP297#2 via HTTPS or SSH, the packet is travelling thus: IP560#1->(LINK#1)->IP297#1->IP297#2, but the reply from IP297#2 is coming back over LINK#2 and being dropped.
This manifests in the tracker as errors like: "ICMP reply does not match a previous request" and other simlar messages. Effectively the packet state seems to be ignored...
I suppose my first question is: Should I be using this interface to manage the devices? but otherwise; does anyone have any suggestions?
Thanks in advance,
Si...
----------------------------------------
The scenario:
Data center #1: Two IP560 firewalls. Interface eth-s1p1c0 configured on both devices with 28 bit mask. VRRP configured.
Data center #2: Two IP297 firewalls. Interface eths1c0 configured on both devices with 28 bit mask. VRRP configured.
IP560#1 is connected to IP297#1 (Call this LINK#1)
IP560#2 is connected to IP297#2 (Call this LINK#2)
IP Schema goes something like this:
192.168.1.0/28
192.168.1.1 - IP560#1, eth-s1p1c0
192.168.1.2 - IP560#2, eth-s1p1c0
192.168.1.3 - IP560-VRRP
192.168.1.4 - IP297#1, eths1c0
192.168.1.5 - IP297#2, eths1c0
192.168.1.6 - IP297-VRRP
Normal routing is IP560#1 to IP297#1 across LINK#1 and during failure, fails over to the other box using VRRP.
The problem I am seeing is when I attempt to manage IP297#2 via HTTPS or SSH, the packet is travelling thus: IP560#1->(LINK#1)->IP297#1->IP297#2, but the reply from IP297#2 is coming back over LINK#2 and being dropped.
This manifests in the tracker as errors like: "ICMP reply does not match a previous request" and other simlar messages. Effectively the packet state seems to be ignored...
I suppose my first question is: Should I be using this interface to manage the devices? but otherwise; does anyone have any suggestions?
Thanks in advance,
Si...
----------------------------------------
