cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

What is the expected traffic in a packet capture for Checkpoint High Avalibility?

While working on a issue I noticed this on a wireshark packet capture on my Nexus 9000 switch is connected to a 15400 XL running Gaia 80.33 (whatever the current version is). There are two 15400 XL in one DC1 and 2 in DC2. The 4 are all clustered together for the VSS. The 192.168.xxx.xx is checkpoint's "internal switch" address. My question is should I be seeing these messages sent to the switchport that is connected to the firewall? The port that is connected to the firewall from the Nexus is for multicast traffic. I did a packet capture in our QA environment which is a mirror of our production with the exception of there are only 2 15400 XL and I don't see these messages below. Is this a mis- configuration of the Firewall High Availability being sent to the Nexus connecting port? 

 

2019-07-10 15:34:26.154998 0.0.0.0 -> 192.168.xxx.xx CPHA CPHAv3223: FWHA_MY_STATE
2019-07-10 15:34:26.155007 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155010 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ
2019-07-10 15:34:26.155013 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ

0 Kudos
5 Replies
Admin
Admin

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

Check Point's sync traffic is multicast by default.
While the actual connection sync data goes over the sync network, probes do go out over each connected interface.
This is to verify cluster members can reach each other on every interface.
I haven't seen what this traffic looks like in R80.30 to verify what you're seeing is correct.
0 Kudos
Admin
Admin

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

Just to correct myself, R80.20 and above, the default sync traffic is unicast, not multicast.
CCP packets should appear on all "clustered" interfaces.
0 Kudos

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

The default is indeed Unicast for this traffic, unless the gateways were upgraded, then the previous state is just copied and left alone.
Regards, Maarten
0 Kudos

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

I want to thank you for the responses. My question was is not if its unicast or multicast. It was if what I pasted in the original posting is what should be occuring on connected interfaces to the firewall. As I stated I do not see that in our QA environment with the same code and chassis.

0 Kudos
Admin
Admin

Re: What is the expected traffic in a packet capture for Checkpoint High Avalibility?

CCP packets should be appearing on all "Clustered" interfaces, as I said previously.
If you're not seeing them, it's because the configuration of the Cluster object is different with respect to the interfaces in your QA environment.
0 Kudos