This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_Matt
Contributor
‎2025-06-16 05:32 AM
Jump to solution

CP21800 (R80.40 Jumbo T211) - reply not from Cluster IP

Hi all,

I'm trying to use our old and unsupported Checkpoint 21800 Gateways as an analysis firewall in our Cisco ACI fabric. The gateways should be used to see the communication patterns between various devices. Based on the logs Cisco ACI contracts will be applied in the fabric. The gateways should only be used for initial analysis - no real world traffic.

I've setup the gateways with the latest supported version 80.40 and the latest (recommended) Jumbo Take 211. ClusterXL was configured manually. CIsco recommends a one-armed firewall for this use case. Therefore the Cluster had been configured as follows:

fw-1 eth01 (cluster & sync) in aci pod 1 -> 10.200.90.4/29

fw-2 eth01 (cluster & sync) in aci pod 2 -> 10.200.90.5/29 (Active Node)

VMAC -> 10.200.90.6/29

Gateway -> 10.200.90.1/29

Now I have this weird phenomenon:

Ping checks under any linux environment (our linux jump host, cisco switches and routers) work flawlessly.

Ping checks under Windows:

Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 works perfect
Ping to 10.200.90.6 does not work

After some wait time and no traffic to the above mentioned IPs it looks like this

Ping to 10.200.90.4 works perfect
Ping to 10.200.90.5 does not work
Ping to 10.200.90.6 works perfect

and so on ...

Did a wireshark trace under Windows and it showed that the Cluster is not responding from the VMAC IP 10.200.9.6 but instead responding from 10.200.9.5

Verified under linux with fping

fping 10.200.90.4 10.200.90.5 10.200.90.6
10.200.90.4 is alive
10.200.90.5 is alive
[<- 10.200.90.5]10.200.90.6 is alive

means that fping received the ICMP echo reply from 10.200.90.6, but it came with a source address of 10.200.90.5.

I've search all available SKs but without success. Any ideas from the experts how to solve or remediate this?

Could "Cluster IP Addresses on Different Subnets" be a solution? But how to configure this on a one-armed-firewall?

Any help is highly appreciated 😁

Kind regards

Oliver

 

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-16 05:46 AM
Jump to solution

Have you accounted for this or do I miss understand your scenario?

https://support.checkpoint.com/results/sk/sk26874

https://supportcontent.checkpoint.com/solutions?id=sk26874

CCSM R77/R80/ELITE

View solution in original post

Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-16 05:59 AM
In response to Oliver_Matt
Jump to solution

Apologies in my attempt to fix the old URL format I posted the incorrect SK identifier, hopefully the other is helpful!

sk26874 - Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-16 05:46 AM
Jump to solution

Have you accounted for this or do I miss understand your scenario?

https://support.checkpoint.com/results/sk/sk26874

https://supportcontent.checkpoint.com/solutions?id=sk26874

CCSM R77/R80/ELITE
Oliver_Matt
Contributor
‎2025-06-16 05:56 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

thx for the SKs. 

sk102327 - Unable to ping cluster Virtual IP address from a cluster member in ClusterXL in High Availability and in Load Sharing modes. This is not my current situation.

sk26874 - this looks exactly like my problem - will investigate on that sk.

Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-06-16 05:59 AM
In response to Oliver_Matt
Jump to solution

Apologies in my attempt to fix the old URL format I posted the incorrect SK identifier, hopefully the other is helpful!

sk26874 - Cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster members from a remote host

CCSM R77/R80/ELITE
0 Kudos
Oliver_Matt
Contributor
‎2025-06-16 06:14 AM
In response to Oliver_Matt
Jump to solution

Hi Chris,

again many thx - you've saved my day. sk26874 did the trick.

Oliver

the_rock
MVP Gold
MVP Gold
‎2025-06-16 05:47 AM
Jump to solution

Hey Oliver,

Can you check if what I attached is checked or not?

Andy

Preview file
34 KB
0 Kudos
Oliver_Matt
Contributor
‎2025-06-16 05:54 AM
In response to the_rock
Jump to solution

Hi Andy,

yes - VMAC is checked.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-16 05:55 AM
In response to Oliver_Matt
Jump to solution

I would try uncheck it and see if it makes any difference.

Andy

0 Kudos
Oliver_Matt
Contributor
‎2025-06-16 05:58 AM
In response to the_rock
Jump to solution

Tried already several times without success. Will investigate in the sk26874 and post the outcome.

Oliver

the_rock
MVP Gold
MVP Gold
‎2025-06-16 05:59 AM
In response to Oliver_Matt
Jump to solution

Sounds like a good idea. Maybe also try zdebug command to see if any drops.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events