topic Re: Maestro Dual site sync troubleshooting in Hyperscale Firewall (Maestro) https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-Dual-site-sync-troubleshooting/m-p/242874#M3213 <P>The SGM sync packets for SG1 will traverse VLAN 3801 on the site_sync interface(s). Check the switching layer for any issues around duplicate MACs and the switch suspending ports.</P> Tue, 04 Mar 2025 03:25:01 GMT emmap 2025-03-04T03:25:01Z Maestro Dual site sync troubleshooting https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-Dual-site-sync-troubleshooting/m-p/242402#M3207 <P>Hello</P><P>I am having issues with Maestro Dual site (Single MHO) synchronization through external L2 switches. Since the customer does not want to use QinQ I turned it off, then we created trunk ports on the switches and we allowed VLAN IDs 3951 for MHO and 3801+ for the SGs. The MHO sync works fine, but the SGs sync does not work and I do not know if it is some kind of issue on the MHO or on the switches.<BR />IF I ping from SGM 1_1 (192.0.2.1) to SGM 2_1 on the sync network: ping 192.0.2.15 then there is no answer and I can see in tcpdump that the SGM 1_1 is ARP asking for MAC of 192.0.2.15:</P><P>[Expert@FW-JUST_EXT-ch01-01:0]# ping 192.0.2.15<BR />PING 192.0.2.15 (192.0.2.15) 56(84) bytes of data.<BR />From 192.0.2.1 icmp_seq=1 Destination Host Unreachable<BR />From 192.0.2.1 icmp_seq=2 Destination Host Unreachable<BR />From 192.0.2.1 icmp_seq=3 Destination Host Unreachable<BR />From 192.0.2.1 icmp_seq=4 Destination Host Unreachable</P><P>[Expert@FW-JUST_EXT-ch01-01:0]# tcpdump -nni Sync host 192.0.2.15<BR />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<BR />listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes<BR />16:51:10.486344 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28<BR />16:51:11.488348 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28<BR />16:51:13.485469 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28<BR />16:51:14.486357 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28</P><P>However I cannot find any of those ARPs on the MHO itself to verify that those ARP packets are leaving the MHO. Is there a way how to verify that the sync packets from SGM 1_1 are leaving the MHO1 via the external sync and are sent to MHO2 (SGM 2_1) through the switches?<BR />The packets should be leaving the MHO with the 192.0.2.x source IP or is MHO sending even the SG sync packets with the MHO sync IP 203.0.113.x?</P><P>Thank you<BR />Arnost</P> Wed, 26 Feb 2025 12:45:06 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-Dual-site-sync-troubleshooting/m-p/242402#M3207 Arnost_Odvalil 2025-02-26T12:45:06Z Re: Maestro Dual site sync troubleshooting https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-Dual-site-sync-troubleshooting/m-p/242874#M3213 <P>The SGM sync packets for SG1 will traverse VLAN 3801 on the site_sync interface(s). Check the switching layer for any issues around duplicate MACs and the switch suspending ports.</P> Tue, 04 Mar 2025 03:25:01 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-Dual-site-sync-troubleshooting/m-p/242874#M3213 emmap 2025-03-04T03:25:01Z