- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Azure R81.20 Cloudguard Cluster Deployment - B...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure R81.20 Cloudguard Cluster Deployment - Backend Routing Problem
Hello,
I have deployed an R81.20 cloudguard cluster using the following IAC.
I have a backend routing issue where whereby
- I have provisioned a test VM in another VNET to test egress connectivity
- The VM VNET and FW backend VNETs have been associated with the internal routable
- The required routes have been added to the internal routable- default route is 0.0.0.0/0 with next hop IP the backend lb
- VNET peering has been setup between the VM VNET and the connectivity VNET (VNET FW subnets reside in).
- Static route to internal subnet has been configured on each gateway i.e.
set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on - Anti-spoofing has been disabled on both eth0 and eth1 interfaces
- In Smart Console, a test VM object has been created and allowed access in policy, outbound NAT has been configured translating source to frontend eth0 external private IP.
I can see traffic hitting the active member including the a reply. But the on the VM the ICMP requests are timing out.
[Expert@checkpoint-cloudguard-ha1:0]# tcpdump -nnnei any host 172.19.0.4 and host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
06:14:29.364296 In fc:bd:67:89:19:6e ethertype IPv4 (0x0800), length 76: 172.19.0.4 > 1.1.1.1: ICMP echo request, id 1, seq 352, length 40
06:14:29.366766 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 > 172.19.0.4: ICMP echo reply, id 1, seq 352, length 40
06:14:29.366785 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 > 172.19.0.4: ICMP echo reply, id 1, seq 352, length 40
06:14:34.107158 In fc:bd:67:89:19:6e ethertype IPv4 (0x0800), length 76: 172.19.0.4 > 1.1.1.1: ICMP echo request, id 1, seq 353, length 40
06:14:34.109671 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 > 172.19.0.4: ICMP echo reply, id 1, seq 353, length 40
06:14:34.109692 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 > 172.19.0.4: ICMP echo reply, id 1, seq 353, length 40
fw monitor -w -F <172.19.0.4>,0,<1.1.1.1>,0,0 -F <1.1.1.1>,0,<172.19.0.4>,0,0
[vs_0][ppak_0] eth1:i[60]: 172.19.0.4 -> 1.1.1.1 (ICMP) len=60 id=44093
ICMP: type=8 code=0 echo request id=1 seq=356
[vs_0][fw_2] eth1:i[60]: 172.19.0.4 -> 1.1.1.1 (ICMP) len=60 id=44093
ICMP: type=8 code=0 echo request id=1 seq=356
[vs_0][fw_2] eth1:I[60]: 172.19.0.4 -> 1.1.1.1 (ICMP) len=60 id=44093
ICMP: type=8 code=0 echo request id=1 seq=356
[vs_0][fw_2] eth0:o[60]: 172.19.0.4 -> 1.1.1.1 (ICMP) len=60 id=44093
ICMP: type=8 code=0 echo request id=1 seq=356
[vs_0][fw_2] eth0:I[60]: 1.1.1.1 -> 172.19.0.4 (ICMP) len=60 id=55497
ICMP: type=0 code=0 echo reply id=1 seq=356
[vs_0][fw_2] eth1:o[60]: 1.1.1.1 -> 172.19.0.4 (ICMP) len=60 id=55497
ICMP: type=0 code=0 echo reply id=1 seq=356
[vs_0][fw_2] eth1:O[60]: 1.1.1.1 -> 172.19.0.4 (ICMP) len=60 id=55497
ICMP: type=0 code=0 echo reply id=1 seq=356
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you set a route in the backend network to the lowest IP address of the VNET on the Check Point FW?
For example
Backend network 10.70.22.64/26
Gateway IP 10.70.22.65 for Azure internal networks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Per the documentation, the 3 required routes are as follows.
default_route 0.0.0.0/0 VirtualAppliance 172.18.0.69 (backend-lb)
vm-01-vnet-local 172.19.0.0/24 VNetLocal
vm-01-vnet-other-subnets 172.18.0.0/26 VirtualAppliance 172.18.0.69 (backend-lb)