This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Arnost_Odvalil
Explorer
Explorer
‎2025-02-26 04:45 AM
Jump to solution

Maestro Dual site sync troubleshooting

Hello

I am having issues with Maestro Dual site (Single MHO) synchronization through external L2 switches. Since the customer does not want to use QinQ I turned it off, then we created trunk ports on the switches and we allowed VLAN IDs 3951 for MHO and 3801+ for the SGs. The MHO sync works fine, but the SGs sync does not work and I do not know if it is some kind of issue on the MHO or on the switches.
IF I ping from SGM 1_1 (192.0.2.1) to SGM 2_1 on the sync network: ping 192.0.2.15 then there is no answer and I can see in tcpdump that the SGM 1_1 is ARP asking for MAC of 192.0.2.15:

[Expert@FW-JUST_EXT-ch01-01:0]# ping 192.0.2.15
PING 192.0.2.15 (192.0.2.15) 56(84) bytes of data.
From 192.0.2.1 icmp_seq=1 Destination Host Unreachable
From 192.0.2.1 icmp_seq=2 Destination Host Unreachable
From 192.0.2.1 icmp_seq=3 Destination Host Unreachable
From 192.0.2.1 icmp_seq=4 Destination Host Unreachable

[Expert@FW-JUST_EXT-ch01-01:0]# tcpdump -nni Sync host 192.0.2.15
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:10.486344 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28
16:51:11.488348 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28
16:51:13.485469 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28
16:51:14.486357 ARP, Request who-has 192.0.2.15 tell 192.0.2.1, length 28

However I cannot find any of those ARPs on the MHO itself to verify that those ARP packets are leaving the MHO. Is there a way how to verify that the sync packets from SGM 1_1 are leaving the MHO1 via the external sync and are sent to MHO2 (SGM 2_1) through the switches?
The packets should be leaving the MHO with the 192.0.2.x source IP or is MHO sending even the SG sync packets with the MHO sync IP 203.0.113.x?

Thank you
Arnost

0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-03 07:25 PM
Jump to solution

The SGM sync packets for SG1 will traverse VLAN 3801 on the site_sync interface(s). Check the switching layer for any issues around duplicate MACs and the switch suspending ports.

View solution in original post

0 Kudos
(1)
1 Reply
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-03 07:25 PM
Jump to solution

The SGM sync packets for SG1 will traverse VLAN 3801 on the site_sync interface(s). Check the switching layer for any issues around duplicate MACs and the switch suspending ports.

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events