topic Re: VRRP failover issue (SG6900 10Gbps) in Firewall and Security Management

VRRP failover issue (SG6900 10Gbps)

ChoiYunSoo — Mon, 07 Mar 2022 09:40:42 GMT

The customer's equipment was changed from SG23800 to SG6900 equipment.

Versions are R80.20 to R80.40.

And a 10Gbps add-on module is inserted.

- Line card 1 model: CPAC-4-10F-C
- Line card 1 type: 4 ports 1/10GbE SFP+ Rev 4.0

the customer company consists only of an external interface and an internal interface, and it is VRRP.

As for the issue, when Bypass mode is activated in the DDOS device above the Check Point firewall, the firewall will be in the following state.

FW_A, External Interface = Master / Internal Interface = Master

FW_B, External Interface = Backup / Internal Interface = Master

We tested the internal interface by directly connecting the firewall to each other, but the results were the same, and we also confirmed that the hello packet was sent normally.

However, SG23800 configured with R80.40 and tested with the same hotfix, but no symptoms occurred.

Also, when I test the UTP which is onboard on the SG6900, the symptoms do not occur.

I suspect it is a driver firmware issue that appears when an additional module is inserted into the SG6900 or quantum device.

Have you ever experienced or resolved the same symptoms as me?

Currently, I am in the process of opening a case.

PS. R80.40 has been tested from No Hotfix to the latest ongoing hotfix.

Re: VRRP failover issue (SG6900 10Gbps)

Chris_Atkinson — Mon, 07 Mar 2022 11:35:28 GMT

Please confirm the following...

* Which JHF version for R80.40?

* VLANs or Physical interfaces?

* Must configure firewall rule to accept VRRP packets sent from VRRP routers to multicast IP address 224.0.0.18.

* When using VRRP VMAC mode, both spanning tree and IGMP snooping must be disabled to avoid split brain.

Re: VRRP failover issue (SG6900 10Gbps)

ChoiYunSoo — Tue, 08 Mar 2022 01:26:58 GMT

thank you for the reply.

However, we configured and tested the same internally,

and the interface at the bottom of the firewall was directly connected to each other, but the same problem occurred.

It doesn't appear to be a switch issue in my opinion.

I Think This is an obvious bug.

Re: VRRP failover issue (SG6900 10Gbps)

Chris_Atkinson — Tue, 08 Mar 2022 02:09:02 GMT

Please report the case to TAC for assistance, note certain NIC card versions were only "supported" from JHF T139 GA but this doesn't appear to apply in your case.

PRJ-26926,
PMTR-69753

Gaia OS

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

Re: VRRP failover issue (SG6900 10Gbps)

Takeharu_Mineta — Wed, 16 Mar 2022 01:11:45 GMT

It might help you resolve this issue if you are using "VMAC mode: VRRP".

# ethtool --set-priv-flags ethX disable-source-pruning on

I also had a similar issue.
In my lab it occured when I used the interface card "CPAC-4-10F-C" and the driver "i40e" and "VMAC mode: VRRP" on the interface card.