topic Re: ARP Issue in Spark Firewall (SMB)

ARP Issue

leonid1890 — Tue, 16 Apr 2024 08:08:31 GMT

Hello,

I have Check Point's 1570 Appliance R80.20.50 - Build 773

I have issue with ARP entries.

After I move computers from one network to another (I change VLAN in my Switch for example
from VLAN 30 to VLAN 44) I get duplicate entries.

Sometime check point delete it quickly sometime it is there for day.

For example:

[Expert@Test]# arp -n | grep a1
? (10.40.30.10) at e3:75:aa:aa:bb:a1 [ether] on LAN8.30
? (10.40.44.10) at e3:75:aa:aa:bb:a1 [ether] on LAN8.44

Is there a way to get rid of duplicate entries?

Re: ARP Issue

G_W_Albrecht — Tue, 16 Apr 2024 09:11:35 GMT

Did you try a reboot ? I would also suggest to update to R81.10.10 as your current firmware will be out of support in Jun-24.

Re: ARP Issue

leonid1890 — Tue, 16 Apr 2024 10:29:18 GMT

Restart helping but in my organization I have a lot of IP chage on daily basis, I can't reboot each time it is hapening.

I will try to upgrade and see if it will help.

Re: ARP Issue

G_W_Albrecht — Tue, 16 Apr 2024 11:19:36 GMT

Afaik clearing the arp cache is only possible in GAiA, not in GAiA Embedded.

Re: ARP Issue

Chris_Atkinson — Tue, 16 Apr 2024 11:26:48 GMT

Can you describe the issue in more detail, you have multiple hosts on the same VLAN with conflicting ARP entries or just stale entries for ARP/DHCP triggered by the move?

Also for awareness per sk166552 all interfaces will share the same mac unless you overwrite this. Most switches with per-vlan learning shouldn't have an issue with this.

Re: ARP Issue

leonid1890 — Tue, 16 Apr 2024 11:48:23 GMT

I have very simple lab, firewall connected to swtich.

I have a lot of sub interfaces on the firewall.

I have PC connected to switch with VLAN X.

After I change VLAN on the switch to VLAN Y,

My PC get new IP from VLAN Y address pool (Check Point is DHCP Server for all sub intefaces).

On Check Point in ARP table we will see two entries, same MAC diffrenet IPs.

This ARP entries remain in ARP table a lot of time (sometime more then 12 hours).

This behabiour is unwanted.

Re: ARP Issue

Chris_Atkinson — Tue, 16 Apr 2024 12:16:04 GMT

Duration aside for the moment this is expected since the interface state on the Check Point didn't change.

ARP timeout is currently not configurable, separately from DHCP lease time etc.

What value do you see with this?

[Expert@1500]# cat /proc/sys/net/ipv4/neigh/<interface_name>/gc_stale_time

Re: ARP Issue

leonid1890 — Tue, 16 Apr 2024 12:39:18 GMT

Everthing by default is 60

Re: ARP Issue

Chris_Atkinson — Tue, 16 Apr 2024 13:19:02 GMT

Since this is a lab it's definitely worth checking if R81.10.10 changes your symptoms, else you will need to review with TAC.

In parallel I would suggest discussing the need for the configurable ARP timeout with your local CP SE as an RFE.