This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2021-03-11 04:56 AM

traffic to standby node is dropped by anti spoofing

 

hi,

 

i have a situation, where some traffic towards a standby node in a cluster is dropped by anti spoofing.

ICMP and SNMP is being dropped by anti spoofing,

The traffic is being sent over vpn, and there are about 10-15 other locations with this set up, and it works just fine there.

Not sure if this is a version bug, it is running r80.20 with no jumbo. Other locations are mainly r80.30 and .40, with a few r80.10 and r77.30.

 

fw ctl set int fwha_forw_packet_to_not_active has been set to 1 on both cluster members, and i can access the standby node on ssh without any issue, its just the other traffic being dropped. Traffic to the active node works just fine.

 

Has anyone seen anything similar before, and have any valuable input?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-03-11 12:59 PM

Am I understanding correctly that ICMP from an IP is getting dropped on anti-spoofing but SSH from the same IP is allowed?
That sounds like a bug.
I would ensure you have the latest recommended Jumbo Hotfix first.
If the problem still persists, raise a TAC case.

KM1895
Collaborator
Collaborator
‎2021-03-12 02:26 AM
In response to PhoneBoy

hi,

 

The icmp and snmp comes from the same address, and is dropped by antispoofing. The ssh is from another address, but that kinda proves the forward to not active parameter is working.

What i find really weird, is that i did some more troubleshooting today, and while the smartconsole logs clearly states antispoofing and drop, this never shows up on the cluster members when i do fw ctl zdebug drop on both of them.

 

Im starting to lean towards some kind of bug here, and we are in the planning process of doing an upgrade to R80.40, which will hopefully solve this issue.

0 Kudos
the_rock
Legend
Legend
‎2021-03-11 04:14 PM

Could you please attach a screenshot of the drop or output from fw ctl zdebug command? I think that would be helpful in trying to figure out why this is happening.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events