Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MariuszT
Explorer

SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

Hi,

Last weekend we've upgraded SMS from R80.20 to R80.40 with blink image upgrade.

After that we have issues with SmartLSM gateways. Every few hours we need to manually fetch policy from ROBO GWs(1450 R77.20.85) because DNS traffic is lost on the tunnel.

Example:

tcpdump on ROBO:

07:52:33.306248 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.53366: 6105* 1/0/0 A 10.112.198.40 (47)
07:52:45.898220 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 84: 10.63.30.244.49942 > 10.13.124.4.53: 61826+ A? mail.partner.xxx.xxx(42)
07:53:29.086509 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.52433 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.107068 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.52433: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:21.699884 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 74: 10.63.30.244.59945 > 10.13.124.4.53: 60861+ A? portal.xxx.xxx. (32)
07:54:24.507508 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.57164 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.527347 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.57164: 46535* 1/0/0 A 10.112.198.40 (47)

we can see queries for 'mail.partner.xxx.xxx' and 'portal.xxx.xxx'

on the central GW those queries are missing:
07:52:33.291531 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.26351 > 10.13.124.4.53: 6105+ A? cpnbb.xxx.xxx. (31)
07:52:33.292107 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.26351: 6105* 1/0/0 A 10.112.198.40 (47)
07:53:29.092007 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.21365 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.092875 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.21365: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:24.512593 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.32668 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.513090 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.32668: 46535* 1/0/0 A 10.112.198.40 (47)

After 'fw fetch' on ROBO GW, DNS queries are going normally:
ROBO GW:
07:59:03.905407 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 88: 10.63.30.244.60248 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.926065 00:1c:7f:7b:04:0a > 00:50:56:b6:75:7e, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.63.30.244.60248: 18586* 1/0/1 A 10.218.190.169 (62)

Central GW:
07:59:03.910580 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 88: 10.13.96.186.24953 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.911431 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.13.96.186.24953: 18586* 1/0/1 A 10.218.190.169 (62)

I've opened SR for that, but maybe you've got some info about known issues with SmartLSM and R80.40 and SMB 1450?

Greetings,

Mariusz

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Is there a reason you're running R77.20.75 and not R77.20.87, which is much more recent?

0 Kudos
MariuszT
Explorer

my mistake, we're running R77.20.87:

show software-version
This is Check Point's 1450 Appliance R77.20.87 - Build 072

 

But we had to rollback SMS to R80.20. 

The issue was that after few hours ROBO GW's stopped NAT for local networks. We think that somehow they're loosing Dynamic Object configuraction. After fetching policy traffic goes normal for some time 😕

We have SR opened because next year R80.20 is going EOS and upgrade is necessary.

We also tried R81.10 suggested by CP engineer, but it was only worse. We could not install policy on ROBO GWs at all. Tried SIC reset but with no luck. 

Greetings,

Mariusz

0 Kudos
PhoneBoy
Admin
Admin

That seems like a possibility.
You can check the current state of dynamic objects using the dynamic_objects CLI command on the gateway to confirm that. 
Still, sounds like something TAC needs to look at more closely.

0 Kudos