https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113163#M21242 <P>&nbsp;</P><P>hi,</P><P>&nbsp;</P><P>i have a situation, where some traffic towards a standby node in a cluster is dropped by anti spoofing.</P><P>ICMP and SNMP is being dropped by anti spoofing,</P><P>The traffic is being sent over vpn, and there are about 10-15 other locations with this set up, and it works just fine there.</P><P>Not sure if this is a version bug, it is running r80.20 with no jumbo. Other locations are mainly r80.30 and .40, with a few r80.10 and r77.30.</P><P>&nbsp;</P><P><EM>fw ctl set int fwha_forw_packet_to_not_active has been set to 1 on both cluster members, and i can access the standby node on ssh without any issue, its just the other traffic being dropped. Traffic to the active node works just fine.</EM></P><P>&nbsp;</P><P><EM>Has anyone seen anything similar before, and have any valuable input?</EM></P> Thu, 11 Mar 2021 12:56:15 GMT KM1895 2021-03-11T12:56:15Z https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113163#M21242 <P>&nbsp;</P><P>hi,</P><P>&nbsp;</P><P>i have a situation, where some traffic towards a standby node in a cluster is dropped by anti spoofing.</P><P>ICMP and SNMP is being dropped by anti spoofing,</P><P>The traffic is being sent over vpn, and there are about 10-15 other locations with this set up, and it works just fine there.</P><P>Not sure if this is a version bug, it is running r80.20 with no jumbo. Other locations are mainly r80.30 and .40, with a few r80.10 and r77.30.</P><P>&nbsp;</P><P><EM>fw ctl set int fwha_forw_packet_to_not_active has been set to 1 on both cluster members, and i can access the standby node on ssh without any issue, its just the other traffic being dropped. Traffic to the active node works just fine.</EM></P><P>&nbsp;</P><P><EM>Has anyone seen anything similar before, and have any valuable input?</EM></P> Thu, 11 Mar 2021 12:56:15 GMT https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113163#M21242 KM1895 2021-03-11T12:56:15Z https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113237#M21259 <P>Am I understanding correctly that ICMP from an IP is getting dropped on anti-spoofing but SSH from the same IP is allowed?<BR />That sounds like a bug.<BR />I would ensure you have the latest recommended Jumbo Hotfix first.<BR />If the problem still persists, raise a TAC case.</P> Thu, 11 Mar 2021 20:59:02 GMT https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113237#M21259 PhoneBoy 2021-03-11T20:59:02Z https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113263#M21263 <P>Could you please attach a screenshot of the drop or output from fw ctl zdebug command? I think that would be helpful in trying to figure out why this is happening.</P> <P>Andy</P> Fri, 12 Mar 2021 00:14:03 GMT https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113263#M21263 the_rock 2021-03-12T00:14:03Z https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113288#M21268 <P>hi,</P><P>&nbsp;</P><P>The icmp and snmp comes from the same address, and is dropped by antispoofing. The ssh is from another address, but that kinda proves the forward to not active parameter is working.</P><P>What i find really weird, is that i did some more troubleshooting today, and while the smartconsole logs clearly states antispoofing and drop, this never shows up on the cluster members when i do fw ctl zdebug drop on both of them.</P><P>&nbsp;</P><P>Im starting to lean towards some kind of bug here, and we are in the planning process of doing an upgrade to R80.40, which will hopefully solve this issue.</P> Fri, 12 Mar 2021 10:26:47 GMT https://community.checkpoint.com/t5/General-Topics/traffic-to-standby-node-is-dropped-by-anti-spoofing/m-p/113288#M21268 KM1895 2021-03-12T10:26:47Z