This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yeruel
Contributor
2 weeks ago

Internet DNS connectivity issue (IPS Managment update failed)

Hi,

We are experiencing DNS issues with the management network, specifically with the MGMT interface of firewalls and managers.

Firewalls mgmt interfaces and Managers  which are belong to managment network 10.20.90.0/24 are not accessing internet. From managers servers (10.20.90.10, and 10.20.90.20) can ping 8.8.8.8 and others, but it is not reachable to the internet services (DNS).

Urgent assist!

0 Kudos
7 Replies
the_rock
Legend
Legend
2 weeks ago

Hey brother,

Im just about to start work, but to repeat what I mentioned in my response to your message before, how is topology configured? Does this happen on multiple firewalls?

Andy

0 Kudos
yeruel
Contributor
a week ago
In response to the_rock

Hey Andy,

I can ping 8.8.8.8 and outside interface of firewall Smartconsole (MGMT server) 10.1.90.20, But resolve to the www.google.com or checkpoint.com not working.

[Expert@COM-EFW-01:0]# fw ctl zdebug drop | grep 10.1.90.20
@;74285308.808030;[vs_0];[tid_26];[fw4_26];fw_log_drop_ex: Packet proto=17 10.1.90.20:59268 -> 239.255.255.250:1900 dropped by fw_log_ip_routing_failure Reason: IP multicast routing failed (missing OS route);
@;74285555.808168;[vs_0];[tid_34];[fw4_34];fw_log_drop_ex: Packet proto=17 10.1.90.20:59268 -> 239.255.255.250:1900 dropped by fw_log_ip_routing_failure Reason: IP multicast routing failed (missing OS route);
@;74286043.808271;[vs_0];[tid_36];[fw4_36];fw_log_drop_ex: Packet proto=17 10.1.90.20:59268 -> 239.255.255.250:1900 dropped by fw_log_ip_routing_failure Reason: IP multicast routing failed (missing OS route);
@;74286313.808406;[vs_0];[tid_31];[fw4_31];fw_log_drop_ex: Packet proto=17 10.1.90.20:59268 -> 239.255.255.250:1900 dropped by fw_log_ip_routing_failure Reason: IP multicast routing failed (missing OS route);
^C
Next time perform for exit: "fw ctl debug 0"

cpdev_wait_ioctl_done_mq: ack select failed 23, Interrupted system call

cpdev_user_ioctl_mq: failed to receive ack, Interrupted system call, op 3222829798

cpdev_user_ioctl: ioctl failed to device /vs0/dev/fw0
: Interrupted system call
Cannot unset debug filter

 

I don't want to route managment servers and smartconsole through mgmt interface, it should be route through internal interface which is bond2.

[Expert@COM-EFW-01:0]# ip route show

default via 213.55.84.9 dev bond1 proto 7

10.0.0.0/8 via 172.24.1.3 dev bond2 proto 7

10.1.0.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.0.111 via 172.24.1.3 dev bond2 proto 7

10.1.0.112 via 172.24.1.3 dev bond2 proto 7

10.1.0.113 via 172.24.1.3 dev bond2 proto 7

10.1.1.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.9.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.10.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.20.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.50.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.60.0/24 via 172.24.1.3 dev bond2 proto 7

10.1.90.0/24 dev Mgmt proto kernel scope link src 10.1.90.11

 

0 Kudos
yeruel
Contributor
a week ago
In response to yeruel

Hi @the_rock Andy,

I think I have to create two separate planes: a management plane and a data plane.

I have created the management plane and checked the IP route using ip r g 8.8.8.8, which shows "network is unreachable." However, from the data plane, ip r g 8.8.8.8 is reachable.

My goal is to ensure that management network traffic passes through the management plane to reach external internet traffic.

0 Kudos
the_rock
Legend
Legend
a week ago
In response to yeruel

Hey Yeruel.

I cant recall now how you do that, but there is some dplace/mplane config in the clish, just check from show configuration.

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
a week ago
In response to yeruel

Hi @yeruel 

AFAIK, there is a fully separated from the Data plane, therefore you need to add the routing etc. in the Managament plane too. There is no passage between the two planes.

Here is the sk: https://support.checkpoint.com/results/sk/sk138672

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
yeruel
Contributor
a week ago
In response to AkosBakos

Can I configure routing to the internet without separate management and dataplane?

What I am facing the issue is my management 10.1.90.0/24 is routing via mgmt interface of GW (10.1.90.11).  I don't want to route the managment network via mgmt interface of gw. I think the direct interface is used as priority for routing to internet. what is your advice? I can ping from the managment smartconsole server 10.1.90.20 to the internet 8.8.8.8, but the checkpoint.com and google.com is not reachable. the traffic is blocked by gw mgmt interface,

0 Kudos
yeruel
Contributor
a week ago
In response to yeruel

How can I adjust the link cost value of interfaces direct connected, I want to OSPF should be the priority and the preferred route than direct connected.

@the_rock @AkosBakos 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events