[nsp] HSRP and Netscreen Firewalls

Ian Terry ijt at evasam.com
Fri Jan 10 15:55:56 EST 2003


Hi Stephen,

I am informed that ScreenOS 3.0 is being utilised - I believe there is a
later release, is this required?

I assume the policy relates to the HSRP multicast address ? If so,
Netscreen informed the customer that a policy would not be required - it
seemed odd to be at the time as a Firewall would let a multicast
through!

Regards, Ian

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: 10 January 2003 15:42
To: 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls


Also make sure 'set arp always' is enabled - key for HSRP environments.

-- steve

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: Friday, January 10, 2003 9:40 AM
To: 'Ian Terry'; 'cisco-nsp at puck.nether.net'
Subject: RE: [nsp] HSRP and Netscreen Firewalls

A few things you might wish to check:

1.  Check what OS version you are running.  May require an upgrade. 2.
Ensure that 'set flow mac-flooding' is enabled. 3.  Ensure that you have
created a policy that matches the traffic to allow it through.

-- steve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian Terry
Sent: Friday, January 10, 2003 9:06 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] HSRP and Netscreen Firewalls

Hello, 

We have a customer who has dual peering links with two different
providers that are maintained via Cisco 7500 routers

Behind the routers the customer has Netscreen Firewalls that are
configured to operate in transparent mode.

The routers are running HSRP and unfortunately the multicasting of HSRP
does not appear to be allowed through the Firewall - even though
Netscreen claim that it should. If the Firewall is removed, then HSRP
works fine. 

Does anybody have an experiences similar to this ? 

regards, Ian

tel:   44 (0)7970 499187

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list