This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ShlomiA
Explorer
‎2020-08-27 07:35 AM

loop between ClusterXL Virtual IP & Static Route

Hi,

I will try to explain my issue as the best I can.

So, I have a ClusterXL with 2 gateways.

The cluster is configured with 212.xx.xx.163/29 IP pool.

Network topology example:

Cluster Virtual IP: 212.xx.xx.164

CPFW01 IP: 212.xx.xx.165

CPFW02 IP: 212.xx.xx.166

So far, It's working good.

Now, I have a secondary IP pool on a different subnet: 212.xx.yy.96/27

My ISP is routing the entire pool to my cluster virtual IP.. That way I can use my secondary IP pool by doing NAT policy on my cluster.

It works, But for some reason, when I perform tracert to any of my secondary pool IP addresses, I see a loop between my cluster virtual IP & my gateway static route:

-- .164 is my cluster virtual IP and .163 is my gateway static route.

N6JgIPS

1RB58zo

So the only thing I could think of that causing that loop, Is that the secondary IP pool is not actually configured any where on my interfaces or my gateways.. It's only configured as NAT policies.. So when ever I try to 'connect' to IP addresses of my secondary IP pool, my gateway doesn't know these IP's so he send me to the static route....?

I would love to hear some tips on how to solve this issue..

Thank you 🙂

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-08-27 08:37 AM

Do you have an Access + NAT policy that permits traceroute access to the relevant IP address and translates to the relevant private IP?
Are the NAT rules manual or automatic (configured on the relevant object) and how is it configured?

A static route for the relevant public subnet to the internal subnet may be necessary here, but it shouldn't be.

0 Kudos
ShlomiA
Explorer
‎2020-08-28 04:28 AM

Found a solution by setting a loopback on each gateway in the cluster for the secondary pools.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events