Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

handle ARP broadcasting on cluster FW

Hi All, 

here is the topology:

I have a cluster GW R77.30 and each cluster has an interface in VLAN 142 which are connected to Cisco L2 switch and on the other hand our client has two redundant server that are connected to another Cisco L2 switch and they configured the servers GW with my GW VIP 192.168.10.17

 

192.168.10.10 Server 1 <----                                                                          192.168.10.19 FW -1 active

                                                   Cisco 3750  <-----> Cisco 3850<-----  VIP 192.168.10.17             <------   server B

192.168.10.11 server 2 <-----                                                                       192.168.10.18  FW-2 Passive

 

additional Info:

1- in our network a few servers are in server B side want to talk to server 1 and 2

2-server 1 and 2 are Linux

so the problem is  when client patching their servers( 1 and 2)  and reboot them all TCP session from server B will be down and server 1 and 2 not respond to any TCP or ICMP request and when they ping VIP .17 is not getting response so they have to ping our FW physical IPs .18 and .19 and then ping VIP .17 , do you have any idea of this issue?

how the cluster FW handle ARP broadcasting ?

 

appreciate that if you share your experience

0 Kudos
4 Replies
Highlighted
Sapphire

Firstly, i have to tell you that the used version R77.30 is  out of support. In sk111956: ARP Forwarding in Check Point ClusterXL you will find details about ARP and clusterXL...

Highlighted

@Kamiar_Sh 

You may want to try to enable virtual mac configuration in Cluster XL, it sounds that will solve your issue. This way you network will always see the same MAC address of your cluster.

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
Highlighted
Nickel

I am wondering is there any potential impact if I enable VMAC ?

Thanks

0 Kudos
Highlighted

Most issues arise from the fact that your switch will see the same mac address on different ports, but that is easly configurable from the switch perspective.

Even if it's not directly related, you may want to check a question that I asked here in this post VSX Cluster + Bond + Proxy ARP: To VMAC or not to VMAC where @Maarten_Sjouw and @Wolfgang share useful information about VMAC.

As always, try to do these changes on maintenance window, its easy to revert in case of failure.

 

____________
https://www.linkedin.com/in/federicomeiners/