This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VIKASH_GIRI
Contributor
‎2024-09-20 06:23 AM

Cluster Load sharing issue

Hi,

I am using R81.20 with JHF-take 65 for my FW1 and FW2. I made cluster. 

While enabling the Load balance , I am not able to reach global dns 8.8.8.8 from both Gateway.

on HA we are able to reach global dns.

Attached some snap for reference.

 

VIKAS_SINGH_0-1726838526507.png

 

 

Cphaprob stat output

VIKAS_SINGH_1-1726838526522.png

 

Ping global dns

VIKAS_SINGH_2-1726838526526.png

 

 

0 Kudos
13 Replies
PhoneBoy
Admin
Admin
‎2024-09-20 12:30 PM

What do you see with a tcpdump when trying this?

0 Kudos
VIKASH_GIRI
Contributor
‎2024-09-21 12:19 AM
In response to PhoneBoy

i hvnt taken tcpdump , will post on Monday .

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-20 05:29 PM

We definitely need more info. As Phoneboy advised, run tcpdump, fw monitor, try ip r g 8.8.8.8. Can you also send us output of route command from expert mode?

What does traceroute show? Network unreachable is super generic error that can mean multiple things. Could be interface issue, default gateway problem, route.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-09-20 08:49 PM

What switches do you have and how is the multicast/IGMP/arp config?

See also sk44898

CCSM R77/R80/ELITE
(1)
the_rock
MVP Diamond
MVP Diamond
‎2024-09-20 09:17 PM
In response to Chris_Atkinson

Valid point Chris.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
VIKASH_GIRI
Contributor
‎2024-09-21 12:49 AM
In response to Chris_Atkinson

we are using Aruba core switches 8360V2 and we have configure MLAG. all VLAN configured on Core switches .

Gateway side we hv done the Bond configuration on both GW.

I hv attached my setup diagram below , also i forget to mention that i am using Ipsec blade and mobile blade 

 
 

 

Preview file
17 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-21 03:58 AM
In response to VIKASH_GIRI

I have bunch of colleagues who deal with Aruba constantly (I personally dont as much), but I always hear them talk about igmp snooping. Maybe something you can verify if its enabled. Obviously, if you have multicast traffic on your network, that needs to be enabled, otherwise, probably not.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-09-23 02:59 AM
In response to VIKASH_GIRI

I'm not sure the bonds are so relevant here but you can check to ensure the hashing mode aligns.

Per the sk article I referenced above Load-sharing cluster mode isn't compatible with all vendors switches, you may need to implement some changes.

CCSM R77/R80/ELITE
0 Kudos
VIKASH_GIRI
Contributor
‎2024-09-25 12:57 AM
In response to Chris_Atkinson

Hi, 

I hv one query ,i hv gone through some documents from checkpoint that Load sharing will not work when Ipsec and Mobile blade enable...is it true? or ?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-09-25 02:18 AM
In response to VIKASH_GIRI

 Please see sk101539 for more information, some limitations are version specific.

Also worth mentioning to keep an eye out for  ElasticXL with R82 in terms of load-sharing capabilities.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-23 09:42 PM

Hey @VIKASH_GIRI 

Were you able to get any traction on this issue?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
VIKASH_GIRI
Contributor
‎2024-09-25 12:49 AM
In response to the_rock

HI,

Its running setup so not able to do any troubleshooting , i will get time on weekend only . will keep you posted.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-09-25 06:32 AM

Most L3 routers (not L2 switches) will refuse to cache a multicast MAC address received in an ARP reply so you will probably need to hardcode this on all L3 devices surrounding the gateway.

For your L2 switches, not all switches will handle multicast MAC addresses correctly, and will not consistently forward traffic bound for a multicast MAC to all the proper ports.  Once again, hardcoding the multicast MACs at the switch level may be required.  To summarize:

MULTICAST MACs = HARDCODING PAIN & SUFFERING

When taking your tcpdumps, make sure to include the -e option so you can see the Layer 2 MAC addresses.  

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events