This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Raj_Khatri
Advisor
‎2020-09-16 09:00 AM

Maestro Local ARP

Recently migrated over to a new Maestro cluster running MHO-140s and SG6800s.  Noticed the system diagnostics is failing only on the "Local ARP" test.  Not facing any issues but want to get to the bottom of clearing this up.  A few proxy ARP entries have been added to the security group and confirmed the entries exist in $FWDIR/conf/local.arp on both chassis.

Running R80.20 SP with Take 279

 

#asg_local_arp_verifier  output results in the following - 

Starting local.arp verification on local chassis... (Chassis 1)
- file local.arp is identical on all blades (OK)
-*- 2 blades: 1_01 1_02 -*-
- arp_table is not identical on all blades:

- MAC integrity check passed on all blades (OK)

Error: Problem found in configuration

 

We have several bonded interfaces and there is no issue with that test w/LACP.

0 Kudos
6 Replies
funkylicious
Advisor
‎2020-09-17 03:26 AM

Hmm, we don't have any manual ARP entries, so I guess that's why it passes

 

asg diag print 26
==============================
Local ARP:
==============================

Starting local.arp verification on local chassis... (Chassis 1)
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured

Starting local.arp verification on remote chassis... (Chassis 2)
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured
/opt/CPsuite-R80.20/fw1/conf/local.arp is not configured

Configuration is OK

 

Did you use, asg_cp2blades to copy the file across the appliances or edited the file manually on each one ?

0 Kudos
Raj_Khatri
Advisor
‎2020-09-21 12:28 PM
In response to funkylicious

I didn't run that command, but ran #local_arp_update and confirmed the same entries exist in local.arp on both chassis.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-09-21 10:57 PM
In response to Raj_Khatri

Maybe you should stop editing the local.arp file all together and start using the (g)clish command for it?

add arp proxy ipv4-address 123.45.67.89 macaddress 00-12-34-00-56-67 real-ipv4-address 123.45.67.90

Regards, Maarten
0 Kudos
Raj_Khatri
Advisor
‎2020-09-22 11:42 AM
In response to Maarten_Sjouw

The changes were made from WebUI followed by a policy install.  Confirmed via CLI that local.arp exists on both members.

>show configuration arp proxy
add arp proxy ipv4-address 1.2.3.4 interface bond1

0 Kudos
mk1
Collaborator
‎2020-09-28 05:25 AM

Hello Raj,

I have the same issue (MHO-140 + 2 members and proxy-arp). I was told by Check Point employee this is a known issue and should be fixed in the next jumbo hotfix.

Raj_Khatri
Advisor
‎2020-09-28 05:26 PM
In response to mk1

Yes, I just got the same word as well that it will be in the next R80.20 jumbo due out early October.  Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events