Nokia Network Voyager for IPSO 4.0 Reference Guide 199tunnels do not fail over correctly. If the encryption/authentication algorithm is supported inthe master and not supported by the backup and you do not use NAT, tunnels fail overcorrectly, but they are not accelerated after failover.If you use sequence validation in VPN-1 NGX, you should be aware that in the event of afailover, sequence validation is disabled for connections that are transferred to another node.Sequence validation is enabled for connections that are created after the failover.You might want to enable sequence validation in the Check Point management application andIPSO, as described in the following procedure.To enable sequence validation in the Check Point management application andIPSO1. Click Advanced System Tuning under Configuration > System Configuration in the treeview.NoteThis option is available only when SecureXL is enabled.2. On the Advanced System Tuning page, click the button to enable sequence validation.3. Enable sequence validation in the Check Point management application.4. Push the new policy to the IPSO appliance.Configuring VRRP Rules for Check Point NGXWhen you are using Check Point NGX FP1 and FP2 or later, you must define an explicit VRRPrule in the rulebase to allow VRRP Multicast packets to be accepted by the gateway. You canalso block the VRRP traffic with an explicitly defined rule.CautionVRRP rule constructions used in Check Point FireWall-1 4.1 and earlier does not workwith Check Point NGX. Using these constructions could result in VRRP packets beingdropped by the cleanup rule.For information about how to configure VRRP rules for Check Point FireWall-1 4.1, contact theNokia Technical Assistance Center (TAC).Configuration Rule for Check Point NGX FP1Locate the following rule above the Stealth Rule:
