topic Re: Unknown MAC address used by Standby node in Cluster in Firewall and Security Management

Unknown MAC address used by Standby node in Cluster

Nandhakumar — Sat, 07 Jan 2023 13:11:39 GMT

Is this expected behaviour design that Checkpoint Standby node in cluster will access internet, IPS update, contacting internal servers etc., happens through Sync interface?

Pinged Google DNS 8.8.8.8 from Standby node and captured traffic on Standby firewall using tcpdump and observed traffic echo request packets on sync interface but there is no reply. Further observed there is difference in Source MAC address which leads to VMWare ESX host drops packet.

I have changed Forged transmits option to Accept from Reject in ESX portgroup fixed the issue. However, I would like to know from Checkpoint experts about below Unknown MAC addresses.

Below packet capture from Standby node sync interface

02:56:2e:00:00:01 (Unknow MAC) > 00:0c:29:XX:XX:XX (Active Node Sync interface MAC), ethertype IPv4 (0x0800), length 98: X.X.X.X (Standby Node internet interface IP) > 8.8.8.8: ICMP echo request, id 16914, seq 115, length 64

00:01:00:00:fd:01 (Unknown MAC) > 00:0c:29:YY:YY:YY (Standby Node Sync interface MAC), ethertype IPv4 (0x0800), length 98: 8.8.8.8 > X.X.X.X (Standby Node internet interface IP): ICMP echo reply, id 16914, seq 28, length 64

Re: Unknown MAC address used by Standby node in Cluster

Chris_Atkinson — Sat, 07 Jan 2023 14:16:26 GMT

Standby members traffic via Sync is expected (R80.40) and higher, refer: sk167453

Note sk169154 (section 3.4) provides a mechanism to alter the behaviour if needed.

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Sat, 07 Jan 2023 13:50:43 GMT

Thanks for that information. However, I would like to know Unknown MAC address belongs to Checkpoint or not? How can we ensure that?

There is no aymmetric connection issue here.

Re: Unknown MAC address used by Standby node in Cluster

the_rock — Sat, 07 Jan 2023 14:35:09 GMT

Chris is correct it is indeed expected behavior. As far as unknown MAC, can you verify if that MAC is indeed showing either in cphaprob -a if or ifconfig -a command?

Andy

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Sun, 08 Jan 2023 08:00:36 GMT

There is no such MAC address obderved by running suggested commands

Re: Unknown MAC address used by Standby node in Cluster

Chris_Atkinson — Sun, 08 Jan 2023 09:27:05 GMT

Do you see the same mac-address when both cluster members are on the same ESX host?

Possibly correction layer mac-address TAC should be able to help confirm.

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Sun, 08 Jan 2023 09:30:20 GMT

I dont think so this is specific to ESX host. I am getting same in Checkpoint appliance standby node as well.

Re: Unknown MAC address used by Standby node in Cluster

the_rock — Sun, 08 Jan 2023 13:01:00 GMT

But your cluster works fine otherwise? No failover issue?

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Mon, 09 Jan 2023 04:31:55 GMT

Cluster works absolutely fine. Only issue with Standby node unable to communicate outside world, that too fixed after allowed Forged transmits in ESX but we want to understand from Checkpoint why this behaviour and where these MAC address were getting generated?

Why it not forward packets with actual standby sync interface MAC address as Source MAC?

Re: Unknown MAC address used by Standby node in Cluster

the_rock — Mon, 09 Jan 2023 04:34:14 GMT

I dont have any more ideas, sorry mate. Maybe open a TAC case and see what they say. Personally, I had never seen that before.

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Mon, 09 Jan 2023 04:53:50 GMT

No issues @the_rock . Have already TAC case opened but no useful update from them. I have figured out all these things by myself. Let me see, what they will answer for this Unknown MAC.

Thanks for your response 🙂

Re: Unknown MAC address used by Standby node in Cluster

G_W_Albrecht — Mon, 09 Jan 2023 10:20:27 GMT

MAC-Segment:	00:01:00:00:00:00 - 00:01:00:FF:FF:FF (MA-L)
Hersteller:	EQUIP'TRANS
Adresse:	31 rue Paul Cezanne LA ROCHETTE 77000 FR

Re: Unknown MAC address used by Standby node in Cluster

_Val_ — Mon, 09 Jan 2023 10:45:32 GMT

Those are MAC addresses used to forward traffic from a Standby member. Check why the standup member is actually receiving traffic that needs to be forwarded.

Re: Unknown MAC address used by Standby node in Cluster

G_W_Albrecht — Mon, 09 Jan 2023 10:48:36 GMT

One MAC is from EQUIP'TRANS (see above) - 02:56:2e:00:00:01 is not tied to a vendor. All CP appliances interface HW MACs are in the form:

00:1C:7F:xx:yy:zz

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Mon, 09 Jan 2023 11:00:13 GMT

Not getting your point. @G_W_Albrecht @_Val_ Standby member uses same kind of MAC address to forward traffic to other hosts irrpespective of type of deployment (Deploy in Physical server such as HP or deploy as VM in esx host or Checkpoint appliance).

So, Checkpoint has to answer.

Re: Unknown MAC address used by Standby node in Cluster

_Val_ — Mon, 09 Jan 2023 11:35:04 GMT

Check Point is two words.

What I see from your original post, you see traffic being forwarded from the standby member to the active member. This is normal for some limited scenarios, where a few connections may still be handled by a standby member after failover. These connections should be then forwarded to the active member and sent out.

To do that, a standby member is forwarding packets using an artificial MAC address. This is part of ClusterXL tech. The last octet of that artificial MAC address is a function of your cluster ID.

Depending on the version of your FWs (which you failed to mention) this forwarding can be done via sync or via production interfaces of your cluster.

If you see a lot of forwarded traffic, you should investigate why production traffic hits the standby and not the active member, and fix the issue.

In your case, who is pinning 8.8.8.8 through standby member?

Re: Unknown MAC address used by Standby node in Cluster

Nandhakumar — Mon, 09 Jan 2023 12:23:52 GMT

Cluster running in Gaia R81.10 version. I only ran ping 8.8.8.8 to test internet connectivity from standby firewall. Production traffic always hits active firewall not stanbdy. There is no issue with production application traffic.

Here, the issue that we are talking about connection initiated by standby member. Probably, I will wait for assigned engineer from Check Point to address my queries through remote session.

Re: Unknown MAC address used by Standby node in Cluster

the_rock — Mon, 09 Jan 2023 12:30:37 GMT

Keep us posted, very interesting issue indeed.

Re: Unknown MAC address used by Standby node in Cluster

_Val_ — Mon, 09 Jan 2023 14:00:08 GMT

This is by design, see about forwarded traffic once mode.

Re: Unknown MAC address used by Standby node in Cluster

_Val_ — Mon, 09 Jan 2023 14:01:08 GMT

It is only interesting if one does not know how ClusterXl works, @the_rock 🙂