This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kamiar_Sh
Contributor
‎2019-10-08 07:34 AM

handle ARP broadcasting on cluster FW

Hi All, 

here is the topology:

I have a cluster GW R77.30 and each cluster has an interface in VLAN 142 which are connected to Cisco L2 switch and on the other hand our client has two redundant server that are connected to another Cisco L2 switch and they configured the servers GW with my GW VIP 192.168.10.17

 

192.168.10.10 Server 1 <----                                                                          192.168.10.19 FW -1 active

                                                   Cisco 3750  <-----> Cisco 3850<-----  VIP 192.168.10.17             <------   server B

192.168.10.11 server 2 <-----                                                                       192.168.10.18  FW-2 Passive

 

additional Info:

1- in our network a few servers are in server B side want to talk to server 1 and 2

2-server 1 and 2 are Linux

so the problem is  when client patching their servers( 1 and 2)  and reboot them all TCP session from server B will be down and server 1 and 2 not respond to any TCP or ICMP request and when they ping VIP .17 is not getting response so they have to ping our FW physical IPs .18 and .19 and then ping VIP .17 , do you have any idea of this issue?

how the cluster FW handle ARP broadcasting ?

 

appreciate that if you share your experience

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-10-08 07:56 AM

Firstly, i have to tell you that the used version R77.30 is  out of support. In sk111956: ARP Forwarding in Check Point ClusterXL you will find details about ARP and clusterXL...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
FedericoMeiners
Advisor
‎2019-10-08 08:05 AM

@Kamiar_Sh 

You may want to try to enable virtual mac configuration in Cluster XL, it sounds that will solve your issue. This way you network will always see the same MAC address of your cluster.

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
Kamiar_Sh
Contributor
‎2019-10-08 08:36 AM
In response to FedericoMeiners

I am wondering is there any potential impact if I enable VMAC ?

Thanks

0 Kudos
FedericoMeiners
Advisor
‎2019-10-08 08:42 AM
In response to Kamiar_Sh

Most issues arise from the fact that your switch will see the same mac address on different ports, but that is easly configurable from the switch perspective.

Even if it's not directly related, you may want to check a question that I asked here in this post VSX Cluster + Bond + Proxy ARP: To VMAC or not to VMAC where @Maarten_Sjouw and @Wolfgang share useful information about VMAC.

As always, try to do these changes on maintenance window, its easy to revert in case of failure.

 

____________
https://www.linkedin.com/in/federicomeiners/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top