This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
‎2023-01-31 10:15 PM

IPv6 on Maestro a nightmare...

Since some weeks we are trying to use IPv6 on a R81.10 Maestro environment. There are some really bad limitations:

Enabling IPv6 in the whole environment needs a restart of all a appliances (MHO and SG) at the same time.

Changing everything for the IPv6 configuration (IPs, routes etc.) end up in complete stop of processing all traffic for about 3-5min. In our VSX environment all VSs are affected not only the one with the changes.

We are working with loacal engineers and it looks like there are some documents describing this issues, but they are not available outside of Check Point.

There are no limitations mentioned in the Maestro limitations regarding this problems with IPv6 Known Limitations for Scalable Platforms (Maestro Appliances and Chassis)

Are we the only one using IPv6 on Maestro R81.10 ? Would be happy to get some experience from others and a statement from Check Point.

Changing a route or an IP address should be something which can be done without any traffic loss.

 

6 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 01:21 AM

All IPv6 restrictions and Maestro features are described in this SK's:

IPv6 features and limitations in R80.30 and higher

Scalable Platforms (Maestro and Chassis) comparison between versions

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
cassiomaciel
Contributor
‎2023-02-01 06:06 AM

I think isn't a specific issue related to IPv6, but is a problem with VSX on Maestro.

In my company we've maestro setups with one security group each, some of them we're working with 3 vsx per sg, we faced some issues, where we need to reboot all SGMs simultaneously and this caused a huge impact for us.

The cases opened with TAC weren't able to find out the root cause, but they explained when a VSX is down, for MHO the whole SGM are considered down as well.

I've installed the HF81 for R81.10 last weekend and seems something was improved, since I didn't face any issue and in the same maintenance window, I created 2 new VSX.

 

Axel_Pabich
Explorer
‎2023-11-14 01:28 AM
In response to cassiomaciel

We once had a problem after an RMA where not all packets are forwarded any time. Looked like  a faulty downlink and after initial diagnostic we also got instructions to reboot all SGMs at once because the bond interface numbering wasn't alligned between the SGMs. The RMAed had 1,2,3,4 and the two unchanged had 1,4,5,6. We then rebooted just the unchanged devices one at a time and they came back with correct numbering.

You can check and compare the bond interface numbering with this command on each SGM:
cat /proc/net/bonding/bond1 |grep -A 5 -e "Interface:" -e "details actor lacp pdu"|grep -e "Interface:" -e "port number"
The output should look like:
Slave Interface: eth1-05
port number: 1
Slave Interface: eth2-05
port number: 2
Slave Interface: eth2-07
port number: 3
Slave Interface: eth1-07
port number: 4
or at least the same port numbering on all.

0 Kudos
Srdjan_B
Collaborator
Collaborator
‎2023-12-13 04:25 AM
In response to Axel_Pabich

We've had a change of some bonds last night and few issues afterwards:

- some IPv6 routes went missing after changing bond configuration. We did few different changes with bond1, but some directly connected IPv6 routes were missing even from other bond interfaces. 

- one SGM crashed after deleting one member of a bond. Once it came back, IPv6 routes on that SGM were fine, but two other SGMs lost some IPv6 routes (including connected ones).

- MAC addresses have changed on the bond we modified and were inconsistent between SGMs. Even SGM reboots (one at a time) did not fix it. We had to remove all except one bond members, reboot SGMs which had wrong MAC addresses (one at a time) and when all SGMs have agreed on MAC addresses, we have added remaining interfaces to bond. And we had to fix IPv6 again at the very end.

Fixing IPv6 routes for us involved doing state off / state on for IPv6 subinterfaces (luckily, just a handful of them)

This is single security group and security gateway (not a VSX), R81.10 JHF T66.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-13 04:34 AM
In response to Srdjan_B

For reference some of these issues appear resolved in more recent Jumbo takes.

CCSM R77/R80/ELITE
Vincent_Bacher
Advisor
Advisor
‎2023-12-13 06:57 AM
In response to cassiomaciel

@cassiomaciel wrote:

I think isn't a specific issue related to IPv6, but is a problem with VSX on Maestro.

That's interesting and good to know. It confirms our decision not to replace our 61k/64k with Maestro.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events