This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
Advisor
‎2020-05-12 11:53 AM

Gratuitous ARP not send on VLAN

Hi All,

At a customer site, I have created a R80.30 ClusterXL cluster with jumbo take 155 which is working fine. All is OK when checking the cluster with 'cphaprob stat', 'cphaprob -l list' and 'cphaprob -a if'. The connection table is also synced, so the cluster seems OK.

But when we perform a fail-over with 'clusterXL_admin down' on the active member, we loose connections on one specific VLAN. On the other interfaces and VLAN's no problems are reported when we perform a fail-over.

Our first impression was the layer 3 devices in that network do not act on the gratuitous ARP being send. But when I manually send a G-ARP into the network, all connections via that VLAN are restored. I used the following to send the G-ARP

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind <---- 0=off, 1=on
arping -c 4 -A -I eth3 10.10.10.10

We have a computer with Wireshark in that VLAN and when we perform a fail-over with 'clusterXL_admin down', we do not see the G-ARP packets. When we manually send the G-ARP, we can see these packets in Wireshark.

I have check for know issues with ARP or G-ARP in jumbo hotfixes, but I cannot find anything.

Someone has seen this before? It is very strange because it is on one VLAN only.

Regards,

Martijn

 

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2020-05-12 02:25 PM

This is the very reason why vMAC is available to prevent these type of problems. We have seen similar issues with Proxy ARP's that were lost on a internet router with the default 4 hour ARP cache. Switching the cluster back and forth would make it loose the G-ARP for the second switch.
This one of those little advantages VRRP has as well, there is always a vMAC with VRRP.
Regards, Maarten
0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2020-05-12 02:47 PM

If you enable VMAC, just make sure that all switchports attached to the firewall are set to "portfast" mode to avoid possibly honking off STP on some switches during a failover.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    CheckMates Events