topic Re: VSX-Virtual switch issue in Firewall and Security Management

VSX-Virtual switch issue

SinisaZG — Thu, 16 Nov 2023 11:22:50 GMT

Hi guys,

I am working on a project in a VSX Cluster environment (16200 appliances)

I created three virtual systems. One of them is VPN concentrator.

I created a virtual switch and and I assigned a public IP address. I will use it for Remote Access.
I put together a remote access VPN which si basic.

I have a few difficulties:

First when I try to connect with the VPN client, it tells me the server is unavailable. Again, we are talking about a fairly simple setup that I have done many times. Added IP address as if it doesn't exist outside the VSX segment. Arp entries show nothing

The second issue is that I can't assign VPN Office Mode (using IP pool)

I tried with solution sk111785 and described in:

https://community.checkpoint.com/t5/Security-Gateways/Configure-Client-VPN-on-VSX/td-p/94678

No result at all!!

BUT when I remove/delete the Virtual switch from Virtual system/VSX Cluster and add a physical interface to the virtual system with same IP public address everything works as it should.

I tried several times to create a new Virtual switch and I get the same results. I need a Virtual switch because later I will share that interface with another virtual system. The port that I want to share contains a range of public IP addresses so that it can be used on multiple virtual machines

Does anyone have any suggestions, whether this is a limitation, a bug or something else?

Regards,

Sinisa

Re: VSX-Virtual switch issue

Chris_Atkinson — Thu, 16 Nov 2023 12:02:33 GMT

Please share the version & jumbo take applied to the environment for context?

Re: VSX-Virtual switch issue

SinisaZG — Thu, 16 Nov 2023 12:05:41 GMT

Sorry I forgot to write that

R81.20, take 26

Thanks for your reply!

Re: VSX-Virtual switch issue

SinisaZG — Thu, 16 Nov 2023 13:16:01 GMT

I don't know if it is useful information;

I have a similar setup on a Multidomain environment with VSX and everything works as it should. So the problem is present only with the virtual switch on VSX on one tenant/domain

Re: VSX-Virtual switch issue

PhoneBoy — Thu, 16 Nov 2023 21:43:01 GMT

Did you set Link Selection in the relevant VS to the correct IP?
I presume this will be required since you're not using the main IP of the VS...

Re: VSX-Virtual switch issue

SinisaZG — Fri, 17 Nov 2023 08:10:12 GMT

Thank you for your reply.

Link Selection is set to that IP address.

As far as I can see I have two options;

Delete the existing VS create it from the start and test it again (not exactly a proper solution for production) OR involve the TAC team for that.

Re: VSX-Virtual switch issue

Wolfgang — Fri, 17 Nov 2023 08:46:55 GMT

@SinisaZG did you checked twice the assignment of interface/bond and/or VLAN to the vswitch and your VS ? Was a policy install done to the specific VS after changing the interface topology to the vswitch ?

Re: VSX-Virtual switch issue

Alex- — Fri, 17 Nov 2023 09:06:48 GMT

Maybe you're using Proxy ARP and need to adapt the relevant local.arp files.

Re: VSX-Virtual switch issue

SinisaZG — Fri, 17 Nov 2023 10:11:07 GMT

I found where the problem is/was. The link selection option does not work When creating VS, the first interface created is Main. I usually create the LAN side first. Later I added the WAN interface.
The IP on the WAN interface is also the address of the VPN concentrator. I set that IP address to Link Selection.
After several checks, VS persistently puts the address from the interface I created first (LAN side) And this only applies when we use a virtual switch. Link Selection works when I use a physical port

I deleted VS and created a new one, but this time the WAN interface was created first. Everything works now.

I recreated the first scenario again and it doesn't work again.

The lesson of the story is that link selection does not work when we want to use another connection and we have only virtual switches on VS.

Over the weekend I will create this scenario in the LAB and test it again.

Re: VSX-Virtual switch issue

SinisaZG — Thu, 14 Dec 2023 11:58:01 GMT

I tested in the lab on some versions, R81.10 and R81.20. The error occurred at our client with version R81.20 with Take 26. When multiple public IP addresses are used in combination with multiple Virtual Switches,
For some reason, Link Selection IP address remains stuck regardless of whether we change the IP address in Smart Console.

I did not research the issue in detail, but the only solution was to reinstall the Virtual System again.
The problem is not present in the latest version, Take 41.