This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Hagyard
Advisor
Tuesday

arping responses not showing on newer appliances

We have noticed with newer appliances (standard cluster members, not VSX or Maestro) that we do not get a response to "arping" requests as we do with older appliances, open servers, and CG IaaS on VMware. The issue is present for both standard and bond interfaces. We are definitely getting a response as running a tcpdump in another window for ARP traffic for the address in the arping command shows the reply.

We use arping extensively for simple connectivity testing (ping is often blocked by firewalls), has anyone else seen this or have any workarounds? The tcpdump approach is a pretty ugly workaround  as it needs another command (in another window or as a background task) for each arping.

Cheers

0 Kudos
19 Replies
the_rock
MVP Gold
MVP Gold
Tuesday

Interesting... any specific model?

Andy

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to the_rock

I've only noticed it on 9100 Plus appliances so far.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
Wednesday

Code version?  The Gaia kernel has been updated numerous times in recent releases, and arping may have been touched by those updates as it is a Linux utility.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
the_rock
MVP Gold
MVP Gold
Wednesday
In response to Timothy_Hall

That could be, for sure. I had not seen this on new 3920 models though.

Andy

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to Timothy_Hall

R81.20 JHF 105

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Wednesday

When you say you don't get a response, what exactly do you mean? As you said, you must be getting ARP replies, otherwise traffic wouldn't work. Is the arping command telling you it got no responses?

[Expert@DallasSC]# arping -I eth1 -c 1 10.0.1.252
ARPING 10.0.1.252 from 10.0.1.251 eth1
Unicast reply from 10.0.1.252 [00:12:C1:10:01:FC]  0.802ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

[Expert@DallasSC]# cpinfo -y all 2>&1 | grep JUMBO_HF_MAIN | uniq
	HOTFIX_R82_JUMBO_HF_MAIN	Take:  41
	BUNDLE_R82_JUMBO_HF_MAIN	Take:  41

 

0 Kudos
the_rock
MVP Gold
MVP Gold
Wednesday
In response to Bob_Zimmerman

I just did tcpdump -enni any arp in my lab and gave results. Not sure what was exact command ran by @Paul_Hagyard , but even any arp command I did was fine too.

Andy

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to Bob_Zimmerman

Correct, arping shows no responses but tcpdump shows the reply is seen.

Seen on 9100 Plus appliances.

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to Paul_Hagyard

What about just arp or arp -a?

Andy

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to the_rock

Those are both passive, so you need to ping first (or something) to generate an ARP request then check the arp table (arp -an). arping is a quick way to confirm that all the devices you could see before (e.g. platform migration) are still visible after.

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to Paul_Hagyard

Couple of screenshots attached, one showing arping with no responses when ping is working (allowed by the policy in this case), the second showing arping with no responses when tcpdump confirms that the ARP replies were received.

 

Preview file
78 KB
Preview file
87 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to Paul_Hagyard

Odd...just tried in the lab, even R82 has same issue.

Andy

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Thursday
In response to Paul_Hagyard

That's bizarre. I would open a TAC case at this point. arping definitely works in general on Check Point's software.

Might be a quirk with the 9100. I don't have one to test to be sure, but I doubt that's it. Check Point's branded hardware is pretty vanilla amd64 gear, just with weird, proprietary card slots. It's normal enough you can run Windows on it.

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to Bob_Zimmerman

Just tried on customer's 6200, same issue.

Andy

0 Kudos
Paul_Hagyard
Advisor
Thursday
In response to the_rock

Same behaviour on 9300 Plus with R82 JHF 39

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to Paul_Hagyard

I would open TAC case for this.

Andy

0 Kudos
_Val_
Admin
Admin
Friday

Please open a TAC case for this

0 Kudos
Paul_Hagyard
Advisor
Sunday
In response to _Val_

I've raised a SR and the latest response included:
"The R&D team is actively working on it under case ID TM-89261."

the_rock
MVP Gold
MVP Gold
Sunday
In response to Paul_Hagyard

Thanks for letting us know, Paul.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events