- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all,
I'm trying to use our old and unsupported Checkpoint 21800 Gateways as an analysis firewall in our Cisco ACI fabric. The gateways should be used to see the communication patterns between various devices. Based on the logs Cisco ACI contracts will be applied in the fabric. The gateways should only be used for initial analysis - no real world traffic.
I've setup the gateways with the latest supported version 80.40 and the latest (recommended) Jumbo Take 211. ClusterXL was configured manually. CIsco recommends a one-armed firewall for this use case. Therefore the Cluster had been configured as follows:
fw-1 eth01 (cluster & sync) in aci pod 1 -> 10.200.90.4/29
fw-2 eth01 (cluster & sync) in aci pod 2 -> 10.200.90.5/29 (Active Node)
VMAC -> 10.200.90.6/29
Gateway -> 10.200.90.1/29
Now I have this weird phenomenon:
Ping checks under any linux environment (our linux jump host, cisco switches and routers) work flawlessly.
Ping checks under Windows:
Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 works perfect
Ping to 10.200.90.6 does not work
After some wait time and no traffic to the above mentioned IPs it looks like this
Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 does not work
Ping to 10.200.90.6 works perfect
and so on ...
Did a wireshark trace under Windows and it showed that the Cluster is not responding from the VMAC IP 10.200.9.6 but instead responding from 10.200.9.5
Verified under linux with fping
fping 10.200.90.4 10.200.90.5 10.200.90.6
10.200.90.4 is alive
10.200.90.5 is alive
[<- 10.200.90.5]10.200.90.6 is alive
means that fping received the ICMP echo reply from 10.200.90.6, but it came with a source address of 10.200.90.5.
I've search all available SKs but without success. Any ideas from the experts how to solve or remediate this?
Could "Cluster IP Addresses on Different Subnets" be a solution? But how to configure this on a one-armed-firewall?
Any help is highly appreciated 😁
Kind regards
Oliver
Have you accounted for this or do I miss understand your scenario?
https://support.checkpoint.com/results/sk/sk26874
https://supportcontent.checkpoint.com/solutions?id=sk26874
Apologies in my attempt to fix the old URL format I posted the incorrect SK identifier, hopefully the other is helpful!
sk26874 - Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host
Have you accounted for this or do I miss understand your scenario?
https://support.checkpoint.com/results/sk/sk26874
https://supportcontent.checkpoint.com/solutions?id=sk26874
Hi Chris,
thx for the SKs.
sk102327 - Unable to ping cluster Virtual IP address from a cluster member in ClusterXL in High Availability and in Load Sharing modes. This is not my current situation.
sk26874 - this looks exactly like my problem - will investigate on that sk.
Apologies in my attempt to fix the old URL format I posted the incorrect SK identifier, hopefully the other is helpful!
sk26874 - Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host
Hi Chris,
again many thx - you've saved my day. sk26874 did the trick.
Oliver
Hi Andy,
yes - VMAC is checked.
I would try uncheck it and see if it makes any difference.
Andy
Tried already several times without success. Will investigate in the sk26874 and post the outcome.
Oliver
Sounds like a good idea. Maybe also try zdebug command to see if any drops.
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
14 | |
12 | |
11 | |
9 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY