topic Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP in General Topics

CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Oliver_Matt — Mon, 16 Jun 2025 12:32:49 GMT

Hi all,

I'm trying to use our old and unsupported Checkpoint 21800 Gateways as an analysis firewall in our Cisco ACI fabric. The gateways should be used to see the communication patterns between various devices. Based on the logs Cisco ACI contracts will be applied in the fabric. The gateways should only be used for initial analysis - no real world traffic.

I've setup the gateways with the latest supported version 80.40 and the latest (recommended) Jumbo Take 211. ClusterXL was configured manually. CIsco recommends a one-armed firewall for this use case. Therefore the Cluster had been configured as follows:

fw-1 eth01 (cluster & sync) in aci pod 1 -> 10.200.90.4/29

fw-2 eth01 (cluster & sync) in aci pod 2 -> 10.200.90.5/29 (Active Node)

VMAC -> 10.200.90.6/29

Gateway -> 10.200.90.1/29

Now I have this weird phenomenon:

Ping checks under any linux environment (our linux jump host, cisco switches and routers) work flawlessly.

Ping checks under Windows:

Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 works perfect
Ping to 10.200.90.6 does not work

After some wait time and no traffic to the above mentioned IPs it looks like this

Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 does not work
Ping to 10.200.90.6 works perfect

and so on ...

Did a wireshark trace under Windows and it showed that the Cluster is not responding from the VMAC IP 10.200.9.6 but instead responding from 10.200.9.5

Verified under linux with fping

fping 10.200.90.4 10.200.90.5 10.200.90.6
10.200.90.4 is alive
10.200.90.5 is alive
[<- 10.200.90.5]10.200.90.6 is alive

means that fping received the ICMP echo reply from 10.200.90.6, but it came with a source address of 10.200.90.5.

I've search all available SKs but without success. Any ideas from the experts how to solve or remediate this?

Could "Cluster IP Addresses on Different Subnets" be a solution? But how to configure this on a one-armed-firewall?

Any help is highly appreciated 😁

Kind regards

Oliver

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Chris_Atkinson — Mon, 16 Jun 2025 12:56:55 GMT

Have you accounted for this or do I miss understand your scenario?

https://support.checkpoint.com/results/sk/sk26874

https://supportcontent.checkpoint.com/solutions?id=sk26874

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

the_rock — Mon, 16 Jun 2025 12:47:03 GMT

Hey Oliver,

Can you check if what I attached is checked or not?

Andy

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Oliver_Matt — Mon, 16 Jun 2025 12:54:28 GMT

Hi Andy,

yes - VMAC is checked.

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

the_rock — Mon, 16 Jun 2025 12:55:32 GMT

I would try uncheck it and see if it makes any difference.

Andy

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Oliver_Matt — Mon, 16 Jun 2025 12:56:53 GMT

Hi Chris,

thx for the SKs.

sk102327 - Unable to ping cluster Virtual IP address from a cluster member in ClusterXL in High Availability and in Load Sharing modes. This is not my current situation.

sk26874 - this looks exactly like my problem - will investigate on that sk.

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Oliver_Matt — Mon, 16 Jun 2025 12:58:12 GMT

Tried already several times without success. Will investigate in the sk26874 and post the outcome.

Oliver

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Chris_Atkinson — Mon, 16 Jun 2025 13:02:07 GMT

Apologies in my attempt to fix the old URL format I posted the incorrect SK identifier, hopefully the other is helpful!

sk26874 - Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

the_rock — Mon, 16 Jun 2025 12:59:38 GMT

Sounds like a good idea. Maybe also try zdebug command to see if any drops.

Andy

Re: CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Oliver_Matt — Mon, 16 Jun 2025 13:14:21 GMT

Hi Chris,

again many thx - you've saved my day. sk26874 did the trick.

Oliver