Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Lillo
Participant

Manual NAT with proxy ARP fails randomly

Hi mates, 

We are dealing with another strange issue, where a published NAT stops working randomly after a policy install. 

The rule works as expected, the proxy ARP entry is in place, and after changing something completely unrelated (i.e. enabling a protection from staging to prevent), the NAT entry stops working.

Sometimes is one NAT rule, sometimes is another. 

We are cleaning up our NAT rulebase (currently 377 NAT rules, aproximatedly 40% had already been disabled) just to deal with this and clean things up.

Has somebody found this problem before?

0 Kudos
7 Replies
Maarten_Sjouw
Champion
Champion

Just a few simple questions:
Which version is on the gateway, which jumbo?
Are you using VMAC in clustering? ClusterXL or VRRP?
In the proxy arp command are you referring to the interface or the mac address?
When it does not work, what does 'fw ctl arp' tell you, is it really gone?
Regards, Maarten
0 Kudos
Alex_Lillo
Participant

R80.10 jumbo Take 203

Cluster XL & VMAC 

I'm referring to both the IP and the MAC address, using fw ctl arp. It's in place. 

 

0 Kudos
Alex_Lillo
Participant

UPDATE: When launching "clusterXL_admin down && clusterXL_admin up" from active member, passive member becomes ACTIVE and the NAT rule starts working again. If you fail back again, the NAT rule still does not work. 

With cpstop && cpstart on failing member, it starts working normally.

0 Kudos
Maarten_Sjouw
Champion
Champion

Are you using VMAC?
So the command you are using:
add arp proxy ipv4-address 123.123.123.125 macaddress 00:1c:7f:38:22:fe real-ip 123.123.123.123
Where real-ip is the ip of the member, not the VIP and the macaddress is the VMAC when using VMAC.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion

This sounds like you need to open a TAC case and involve @Ilya_Yusupov with this issue.
Regards, Maarten
Alex_Lillo
Participant

Exactly, that's it.
0 Kudos
Timothy_Hall
Champion
Champion

Sounds an awful lot like this (sk154092 - Security Gateway loses Proxy ARP entries after policy installation), for which there is a hotfix available:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events