cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Manual NAT with proxy ARP fails randomly

Hi mates, 

We are dealing with another strange issue, where a published NAT stops working randomly after a policy install. 

The rule works as expected, the proxy ARP entry is in place, and after changing something completely unrelated (i.e. enabling a protection from staging to prevent), the NAT entry stops working.

Sometimes is one NAT rule, sometimes is another. 

We are cleaning up our NAT rulebase (currently 377 NAT rules, aproximatedly 40% had already been disabled) just to deal with this and clean things up.

Has somebody found this problem before?

0 Kudos
7 Replies

Re: Manual NAT with proxy ARP fails randomly

Just a few simple questions:
Which version is on the gateway, which jumbo?
Are you using VMAC in clustering? ClusterXL or VRRP?
In the proxy arp command are you referring to the interface or the mac address?
When it does not work, what does 'fw ctl arp' tell you, is it really gone?
Regards, Maarten
0 Kudos

Re: Manual NAT with proxy ARP fails randomly

R80.10 jumbo Take 203

Cluster XL & VMAC 

I'm referring to both the IP and the MAC address, using fw ctl arp. It's in place. 

 

0 Kudos

Re: Manual NAT with proxy ARP fails randomly

UPDATE: When launching "clusterXL_admin down && clusterXL_admin up" from active member, passive member becomes ACTIVE and the NAT rule starts working again. If you fail back again, the NAT rule still does not work. 

With cpstop && cpstart on failing member, it starts working normally.

0 Kudos

Re: Manual NAT with proxy ARP fails randomly

Are you using VMAC?
So the command you are using:
add arp proxy ipv4-address 123.123.123.125 macaddress 00:1c:7f:38:22:fe real-ip 123.123.123.123
Where real-ip is the ip of the member, not the VIP and the macaddress is the VMAC when using VMAC.
Regards, Maarten
0 Kudos

Re: Manual NAT with proxy ARP fails randomly

This sounds like you need to open a TAC case and involve @Ilya_Yusupov with this issue.
Regards, Maarten

Re: Manual NAT with proxy ARP fails randomly

Exactly, that's it.
0 Kudos

Re: Manual NAT with proxy ARP fails randomly

Sounds an awful lot like this (sk154092 - Security Gateway loses Proxy ARP entries after policy installation), for which there is a hotfix available:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos