Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

R80.40 MDS ARP Display Issue

Hi Everyone,

 

We have recently upgraded our MDS and VSX Cluster from R80.10 to R80.40 with JHF Take 77 on one of our sites, and I've noticed a difference between the R80.10 devices and R80.40 devices when using the "show arp dynamic all" command.

Basically if I "set virtual system *" to a customer VS and do the show arp command above I only get the top level ARP, so only the interfaces of the physical device itself including sync interface, MGMT, etc, no matter which virtual system or level I'm in, if I go into expert mode and then the Virtual system and run the command "arp -an" then I get the customer level ARP's.

On our R80.10 site, "show arp dynamic all" in customer context and "arp -an" in expert level customer context show the exact same results in so far as they both display the same thing, the customer ARP table.

Has the ARP command changed in R80.40 or is this just some strangeness that will probably be ironed out in a future hotfix, I've had a search and can't find anything similar mentioned and was just curious if anyone in the community had seen similar.

Cheers.

Steve.

0 Kudos
Reply
8 Replies
Admin
Admin

There are a few differences between R80.10 and R80.40 (Linux kernel being a major one), so possible this is a bug.
Probably worth a TAC case if you haven't opened one up already.

Participant

Thanks PhoneBoy, I've not opened a TAC case yet, thought I'd get a handle on if it was just me doing something a bit daft first, One of the reasons we upgraded was for the new Linux kernal and associated file system performance, it's not a drastic issue but I'll get it raised just to see if it is, as I like to call them from my programming days, "an undocumented feature" 😄

0 Kudos
Reply

I would say the old behavior is a bug which was later fixed. When you're in clish, switching to a particular VS and looking at the ARP table should give you the ARP table for that VS, shouldn't it?

0 Kudos
Reply
Participant

Hi Bob, and there within is the issue, in Clish in R80.10 if I switch to a particular customer VS and  look at the ARP table it gives me all the ARP for that particular customer.

in R80.40 in Clish, I swap to a particular customer VS and look at the ARP table and it gives me the top level ARP of the actual physical cluster gateway itself and no customer ARP information, in R80.40 the only way to get this is enter expert mode then go into the customer VS and then do arp -an, which correctly pulls the customer ARP.

"show arp dynamic all" command has always worked in R77.30 and when we upgraded to R80.10, it does still work in R80.40 I suppose, it just doesn't give me the output I'm expecting.

Cheers,

Steve.

0 Kudos
Reply

Huh. I must have read your description backwards somehow.

I agree, showing the ARP table for namespace 0 while in another namespace is a bug.

I mention namespaces because previous versions' VSX functionality was based on VRF extensions to Linux' default network stack. R80.40 involves a newer kernel with a newer network stack which include network namespace functionality. VSX on R80.40 has been changed to use this rather than the old VRF method. I bet that specific clish command wasn't updated and is still trying to show the ARP for a particular VRF, and falling back to ARP for namespace 0 when that fails.

Participant

Thanks Bob, it's more likely my original description wasn't the clearest 😄

I'll raise a case with TAC and see if there is a fix in the pipeline, and much appreciated for the above info, I wasn't aware that the checkpoint VS functionality was based on Linux VRF but it does make sense to separate that way.

Your description sounds spot on for what I'm seeing so I reckon you are bang on the money, again your help and knowledge have been much appreciated.

Cheers,

Steve.

0 Kudos
Reply

With old VSX, you could see which VS you were set to by running 'cat /proc/self/vrf' and you could get a list of all VSIDs using 'ls /proc/vrf'. I used this a fair bit in scripts to do things like show which interfaces are used and how many times across all VSs. With a little poking, you could also see that a large number of Linux commands (arp, ifconfig, ip, and a lot more) were actually using Check Point wrappers so they would run for the current VRF. This is also related to why every GAiA system has the dumb little ":0" after the hostname in the command prompt. There's a bug in the /etc/bashrc which causes it to always use the VSX command prompt.

Now, you can get the current VSID using 'cat /proc/self/nsid' and you can get the list of all VSs using 'ip nets list'. I haven't actually done anything with new namespace-based VSX in production yet. I just noticed the VRF functionality was gone when I updated a SmartCenter, then confirmed on my personal 2200. arp, ip, net stat, and route definitely don't have the old wrappers. Looks like ifconfig still does.

Employee
Employee

Hi,

We saw it as well in our lab, I will take it with RnD, if you already opened a TAC case  please share it with me in private so I could follow-up.

0 Kudos
Reply