This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2021-08-17 10:45 AM

how do i know if an arp query is failing on checkpoint?

So im getting a complaint from a server owner saying that his newly deployed server is failing arps, the gateway for that server points to the ips of our firewalls in cluster both on R80.20, how do i see on the logs if arp is failing? when i log into the cli on expert mode and look for the arp entry for that server ip i do see the mac address for it:

[Expert@XXX-XXXX:0]# arp -a | grep 10.X.X.X
X.X.com (10.X.X.X) at XX:XX:XX:XX:XX:XX [ether] on ethX.X

Does this mean that arp works? 

I also logged into that server myself and pinged the gateway ip (which is the VIP of the firewall cluster) and pings work, i pinged the actual ips of both the gateways as well and it also worked.

My point is how do i make sure that arp is working/not working for that server?

Thank You.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-08-17 10:59 AM

If you see an arp entry for the server on your gateways, it means the gateway has a MAC address for that IP.
If you also see arp entries for the gateway on the server side, arp is working.
tcpdump would be how you'd troubleshoot this. 

0 Kudos
kb1
Collaborator
‎2021-08-17 11:30 AM
In response to PhoneBoy

So i replied and the server owner says that it works with multicast but not with unicast? how do i troubleshoot this? how do i i use tcpdump to troubleshoot this particular servers unicast ip?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-08-17 11:39 AM
In response to kb1

If you can ping from the new endpoint to the firewall's IP or cluster VIP, ARP is working. The end.

Unicast versus multicast has nothing to do with ARP. I have no idea what the server owner is reporting here.

0 Kudos
kb1
Collaborator
‎2021-08-17 11:40 AM
In response to Bob_Zimmerman

@Bob_Zimmerman wrote:

If you can ping from the new endpoint to the firewall's IP or cluster VIP, ARP is working. The end.

Unicast versus multicast has nothing to do with ARP. I have no idea what the server owner is reporting here.

Thank you! I will let him know that this is not an arp issue on the firewall!

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-08-17 11:58 AM
In response to kb1

The longer explanation is this. Let's say your new endpoint has the IP 10.20.30.40, and your firewalls own 10.20.30.1 (VIP), .2 (active member), and .3 (standby member).

When you tell the new endpoint to ping 10.20.30.1, it doesn't know what MAC address to use for the Ethernet frame. It sends an ARP request to ask who owns that IP. Everything on the network gets that ARP request. The active firewall member replies that it owns the address, the new endpoint caches this reply, and the new endpoint sends the ping request.

The active receives the Ethernet frame and extracts the packet. It sees that the destination IP in the packet is itself, so it hands the packet to its network stack to handle. The network stack sees it's a ping request and sends a ping response, but it doesn't know the destination MAC to use in the Ethernet frame, so it sends an ARP request asking who owns 10.20.30.40. The new endpoint replies, and the reply gets cached in the firewall's ARP table. The firewall then sends the reply.

Without ARP working in both directions, you could not get a response to a ping. If the server owner can describe the symptom they're seeing, we may be able to recommend further troubleshooting steps. Their reported symptom does not match your test results, though.

kb1
Collaborator
‎2021-08-17 02:17 PM
In response to Bob_Zimmerman

Thank you Sir for your detailed reply!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events