topic Re: handle ARP broadcasting on cluster FW in General Topics

handle ARP broadcasting on cluster FW

Kamiar_Sh — Tue, 08 Oct 2019 14:34:56 GMT

Hi All,

here is the topology:

I have a cluster GW R77.30 and each cluster has an interface in VLAN 142 which are connected to Cisco L2 switch and on the other hand our client has two redundant server that are connected to another Cisco L2 switch and they configured the servers GW with my GW VIP 192.168.10.17

192.168.10.10 Server 1 <---- 192.168.10.19 FW -1 active

Cisco 3750 <-----> Cisco 3850<----- VIP 192.168.10.17 <------ server B

192.168.10.11 server 2 <----- 192.168.10.18 FW-2 Passive

additional Info:

1- in our network a few servers are in server B side want to talk to server 1 and 2

2-server 1 and 2 are Linux

so the problem is when client patching their servers( 1 and 2) and reboot them all TCP session from server B will be down and server 1 and 2 not respond to any TCP or ICMP request and when they ping VIP .17 is not getting response so they have to ping our FW physical IPs .18 and .19 and then ping VIP .17 , do you have any idea of this issue?

how the cluster FW handle ARP broadcasting ?

appreciate that if you share your experience

Re: handle ARP broadcasting on cluster FW

G_W_Albrecht — Tue, 08 Oct 2019 14:56:28 GMT

Firstly, i have to tell you that the used version R77.30 is out of support. In sk111956: ARP Forwarding in Check Point ClusterXL you will find details about ARP and clusterXL...

Re: handle ARP broadcasting on cluster FW

FedericoMeiners — Tue, 08 Oct 2019 15:05:37 GMT

@Kamiar_Sh

You may want to try to enable virtual mac configuration in Cluster XL, it sounds that will solve your issue. This way you network will always see the same MAC address of your cluster.

Hope it helps,

Re: handle ARP broadcasting on cluster FW

Kamiar_Sh — Tue, 08 Oct 2019 15:36:59 GMT

I am wondering is there any potential impact if I enable VMAC ?

Thanks

Re: handle ARP broadcasting on cluster FW

FedericoMeiners — Tue, 08 Oct 2019 15:43:08 GMT

Most issues arise from the fact that your switch will see the same mac address on different ports, but that is easly configurable from the switch perspective.

Even if it's not directly related, you may want to check a question that I asked here in this post VSX Cluster + Bond + Proxy ARP: To VMAC or not to VMAC where @Maarten_Sjouw and @Wolfgang share useful information about VMAC.

As always, try to do these changes on maintenance window, its easy to revert in case of failure.