SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

MariuszT — Wed, 21 Jul 2021 07:17:25 GMT

Hi,

Last weekend we've upgraded SMS from R80.20 to R80.40 with blink image upgrade.

After that we have issues with SmartLSM gateways. Every few hours we need to manually fetch policy from ROBO GWs(1450 R77.20.85) because DNS traffic is lost on the tunnel.

Example:

tcpdump on ROBO:

07:52:33.306248 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.53366: 6105* 1/0/0 A 10.112.198.40 (47)
07:52:45.898220 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 84: 10.63.30.244.49942 > 10.13.124.4.53: 61826+ A? mail.partner.xxx.xxx(42)
07:53:29.086509 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.52433 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.107068 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.52433: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:21.699884 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 74: 10.63.30.244.59945 > 10.13.124.4.53: 60861+ A? portal.xxx.xxx. (32)
07:54:24.507508 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.57164 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.527347 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.57164: 46535* 1/0/0 A 10.112.198.40 (47)

we can see queries for 'mail.partner.xxx.xxx' and 'portal.xxx.xxx'

on the central GW those queries are missing:
07:52:33.291531 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.26351 > 10.13.124.4.53: 6105+ A? cpnbb.xxx.xxx. (31)
07:52:33.292107 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.26351: 6105* 1/0/0 A 10.112.198.40 (47)
07:53:29.092007 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.21365 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.092875 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.21365: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:24.512593 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.32668 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.513090 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.32668: 46535* 1/0/0 A 10.112.198.40 (47)

After 'fw fetch' on ROBO GW, DNS queries are going normally:
ROBO GW:
07:59:03.905407 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 88: 10.63.30.244.60248 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.926065 00:1c:7f:7b:04:0a > 00:50:56:b6:75:7e, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.63.30.244.60248: 18586* 1/0/1 A 10.218.190.169 (62)

Central GW:
07:59:03.910580 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 88: 10.13.96.186.24953 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.911431 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.13.96.186.24953: 18586* 1/0/1 A 10.218.190.169 (62)

I've opened SR for that, but maybe you've got some info about known issues with SmartLSM and R80.40 and SMB 1450?

Greetings,

Mariusz

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

PhoneBoy — Fri, 23 Jul 2021 07:35:42 GMT

Is there a reason you're running R77.20.75 and not R77.20.87, which is much more recent?

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

MariuszT — Fri, 23 Jul 2021 08:19:23 GMT

my mistake, we're running R77.20.87:

show software-version
This is Check Point's 1450 Appliance R77.20.87 - Build 072

But we had to rollback SMS to R80.20.

The issue was that after few hours ROBO GW's stopped NAT for local networks. We think that somehow they're loosing Dynamic Object configuraction. After fetching policy traffic goes normal for some time 😕

We have SR opened because next year R80.20 is going EOS and upgrade is necessary.

We also tried R81.10 suggested by CP engineer, but it was only worse. We could not install policy on ROBO GWs at all. Tried SIC reset but with no luck.

Greetings,

Mariusz

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

PhoneBoy — Sat, 24 Jul 2021 01:28:10 GMT

That seems like a possibility.
You can check the current state of dynamic objects using the dynamic_objects CLI command on the gateway to confirm that.
Still, sounds like something TAC needs to look at more closely.

topic Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs. in Firewall and Security Management

SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

Re: SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.