https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61465#M12400 <P>R80.10 jumbo Take 203</P><P>Cluster XL &amp; VMAC&nbsp;</P><P>I'm referring to both the IP and the MAC address, using fw ctl arp. It's in place.&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2019 10:57:48 GMT Alex_Lillo 2019-08-29T10:57:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61447#M12398 <P>Hi mates,&nbsp;</P><P>We are dealing with another strange issue, where a published NAT stops working randomly after a policy install.&nbsp;</P><P>The rule works as expected, the proxy ARP entry is in place, and after changing something completely unrelated (i.e. enabling a protection from staging to prevent), the NAT entry stops working.</P><P>Sometimes is one NAT rule, sometimes is another.&nbsp;</P><P>We are cleaning up our NAT rulebase (currently 377 NAT rules, aproximatedly 40% had already been disabled) just to deal with this and clean things up.</P><P>Has somebody found this problem before?</P> Thu, 29 Aug 2019 08:35:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61447#M12398 Alex_Lillo 2019-08-29T08:35:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61448#M12399 Just a few simple questions:<BR />Which version is on the gateway, which jumbo?<BR />Are you using VMAC in clustering? ClusterXL or VRRP?<BR />In the proxy arp command are you referring to the interface or the mac address?<BR />When it does not work, what does 'fw ctl arp' tell you, is it really gone? Thu, 29 Aug 2019 08:39:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61448#M12399 Maarten_Sjouw 2019-08-29T08:39:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61465#M12400 <P>R80.10 jumbo Take 203</P><P>Cluster XL &amp; VMAC&nbsp;</P><P>I'm referring to both the IP and the MAC address, using fw ctl arp. It's in place.&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2019 10:57:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61465#M12400 Alex_Lillo 2019-08-29T10:57:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61466#M12401 <P>UPDATE: When launching "clusterXL_admin down &amp;&amp; clusterXL_admin up" from active member, passive member becomes ACTIVE and the NAT rule starts working again. If you fail back again, the NAT rule still does not work.&nbsp;</P><P>With cpstop &amp;&amp; cpstart on failing member, it starts working normally.</P> Thu, 29 Aug 2019 11:02:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61466#M12401 Alex_Lillo 2019-08-29T11:02:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61467#M12402 Are you using VMAC?<BR />So the command you are using:<BR />add arp proxy ipv4-address 123.123.123.125 macaddress 00:1c:7f:38:22:fe real-ip 123.123.123.123 <BR />Where real-ip is the ip of the member, not the VIP and the macaddress is the VMAC when using VMAC. Thu, 29 Aug 2019 11:03:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61467#M12402 Maarten_Sjouw 2019-08-29T11:03:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61470#M12403 This sounds like you need to open a TAC case and involve <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/14307">@Ilya_Yusupov</a> with this issue. Thu, 29 Aug 2019 11:12:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61470#M12403 Maarten_Sjouw 2019-08-29T11:12:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61471#M12404 Exactly, that's it. Thu, 29 Aug 2019 11:15:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61471#M12404 Alex_Lillo 2019-08-29T11:15:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61504#M12405 <P>Sounds an awful lot like this (sk154092 - Security Gateway loses Proxy ARP entries after policy installation), for which there is a hotfix available:</P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk154092" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk154092</A></P> <P>&nbsp;</P> Thu, 29 Aug 2019 15:58:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-proxy-ARP-fails-randomly/m-p/61504#M12405 Timothy_Hall 2019-08-29T15:58:21Z