This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-03-03 02:23 AM

Check Point vsec virtual ARP not updated on VMware hosts

We have a cluster R80.40 installed on VMWARE in ESX server and the three options are configured on all VLANS, forged transmit, promiscuous mode and mac learning on accept.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

currently the VMAC is not enabled so after failover we depend on ARP(MAC) address update on the surrounding hosts. Whenever we do a failover to activate the next member, the hosts are receiving the traffic but they still respond to the old (now STANDBY) gateway.

So the fact is that for some reason their default gateway MAC address is still pointing to the old firewall. The problem is not on a single server but many hosts all have the same issue and became unreachable.

What could be the cause of the old gateway MAC address being stuck on the servers in VMWARE?

note: this perhaps aint a CP issue but perhaps someone has experience dealing with the same issue.I know enabling VMAC would resolve the MAC change but we want to find the root cause of this issue.

 

 

 

 

 

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-03-03 02:41 AM

Is something filtering the GARPs sent from the gateway on failover, do you see them in a packet capture upon failover at an affected host?

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin
‎2023-03-03 04:41 AM
In response to Chris_Atkinson

Second GARP question.

0 Kudos
dehaasm
Collaborator
‎2023-03-07 03:36 AM
In response to Chris_Atkinson

Yes that is something that i am figuring out, trying to send the G-ARP manually would be a nice test indeed

0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2023-03-03 04:56 AM

Don't think this is a CP issue as such, but you can force your gateway to send g-arps with "arping". 

So let's say your gateway IP is 1.2.3.4 the command will be arping -c 4 -A -I eth1 1.2.3.4

0 Kudos
Rafael_Lima2
Explorer
‎2023-03-15 11:50 AM

Hi dehaasm,

Did you find a solution to the issue? I've the same issue in a cluster using vSec gateways too.

0 Kudos
dehaasm
Collaborator
‎2023-03-30 01:28 AM
In response to Rafael_Lima2

Hi Rafael,

 

We performed a normal failover with and without vmac enabled on R80.40. Our conclusion is that without vmac and just relying on the ARP update it works perfectly, the servers are updating their ARP table directly with new mac address of the activated CP gateway. Strangely enough when we enable VMAC the servers also correctly updated the ARP table, however when performing a failover it takes about 1 minute before communication starts to work and we tested this several times (vmac only depends on network switches to learn the same MAC address from the other firewall), we didnt have time to investigate this. Coming back to our problem knowing that the normal failover works perfectly witouth using VMAC, it caused issues when we upgraded to R81.10 take 87 so we suspect the CP gateway not to send the ARP updates properly. We will investigate further and also try to solve this by manually sending the arping command.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-03-30 06:10 AM
In response to dehaasm

Sorry to clarify, the above appears to contradict your original post?

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator
‎2023-03-30 06:18 AM
In response to Chris_Atkinson

Hi Chris, Yes sorry about that I was assuming (including the end user) that they always have this issue after performing a failover, however after advanced testing last night it appears to work properly. Some weeks ago we tried to upgrade one member to version r81.10 take 87 and tried to failover and I confirmed that the replies from the servers arrived on the standby firewall. Therefor I can conclude that the ARP update wasnt properly send from the upgraded member to inform the servers that it is now the gateway, I used MVC method and cluster was always working.

Sorry for the confusion I should modify the question to include that this is only occuring with upgrade for some reason. Are there any known issues regarding this in version R81.10?

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-03-30 06:23 AM
In response to dehaasm

There are some MVC fixes in the JHF but nothing that matches based solely on ARP that I can see.

Also just because it doesn't arrive doesn't mean it wasn't sent so further isolation is required to validate.

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events