Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Raj_Khatri
Advisor

Maestro Local ARP

Recently migrated over to a new Maestro cluster running MHO-140s and SG6800s.  Noticed the system diagnostics is failing only on the "Local ARP" test.  Not facing any issues but want to get to the bottom of clearing this up.  A few proxy ARP entries have been added to the security group and confirmed the entries exist in $FWDIR/conf/local.arp on both chassis.

Running R80.20 SP with Take 279

 

#asg_local_arp_verifier  output results in the following - 

Starting local.arp verification on local chassis... (Chassis 1)
- file local.arp is identical on all blades (OK)
-*- 2 blades: 1_01 1_02 -*-
- arp_table is not identical on all blades:

- MAC integrity check passed on all blades (OK)

Error: Problem found in configuration

 

We have several bonded interfaces and there is no issue with that test w/LACP.

0 Kudos
6 Replies
funkylicious
Advisor

Hmm, we don't have any manual ARP entries, so I guess that's why it passes

 

asg diag print 26
==============================
Local ARP:
==============================

Starting local.arp verification on local chassis... (Chassis 1)
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured

Starting local.arp verification on remote chassis... (Chassis 2)
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured

Configuration is OK

 

Did you use, asg_cp2blades to copy the file across the appliances or edited the file manually on each one ?

0 Kudos
Raj_Khatri
Advisor

I didn't run that command, but ran #local_arp_update and confirmed the same entries exist in local.arp on both chassis.

0 Kudos
Maarten_Sjouw
Champion
Champion

Maybe you should stop editing the local.arp file all together and start using the (g)clish command for it?

add arp proxy ipv4-address 123.45.67.89 macaddress 00-12-34-00-56-67 real-ipv4-address 123.45.67.90

Regards, Maarten
0 Kudos
Raj_Khatri
Advisor

The changes were made from WebUI followed by a policy install.  Confirmed via CLI that local.arp exists on both members.

>show configuration arp proxy
add arp proxy ipv4-address 1.2.3.4 interface bond1

0 Kudos
mk1
Collaborator

Hello Raj,

I have the same issue (MHO-140 + 2 members and proxy-arp). I was told by Check Point employee this is a known issue and should be fixed in the next jumbo hotfix.

Raj_Khatri
Advisor

Yes, I just got the same word as well that it will be in the next R80.20 jumbo due out early October.  Thanks!

0 Kudos