This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wei_Soon_Heng
Contributor
Contributor
‎2021-09-21 11:37 AM

CheckPoint Cluster behind F5 Load balancer unable to reach to internet

Hi All,

I am facing a strange issue where a pair checkpoint cluster(located behind F5) unable to reach internet. We need checkpoint cluster to have internet access to download geolocation package from CP cloud, client want to enable the geolocation feature.
CheckPoint cluster is not holding any public IP , it will being nated at F5 when go over internet.

Troubleshooting step that have been done:
-Ping from both cluster member to F5 devices is success, but ping from checkpoint cluster to external(e.g 8.8.8.8) , packet is being forwarded from gateway via output of tcpdump but no reply packet is received.

-Output of tcpdump in F5 showing that  echo-reply have been returned to checkpoint but checkpoint does not show any receiving of icmp reply packet. Checked in checkpoint that there is no drop in firewall rule or kernel and interfaces level.

-Arp table in F5 devices shows that the mac address of CheckPoint VIP is bind to active member

-Meanwhile, this cluster have few working site-to-site vpn tunnels that established via through F5 devices.

-Tried failover of cluster member, it still does not resolve the issue.

-We have another single distributed checkpoint gateway that connect to the same F5 devices, it is able to reach internet and download the geolocation packages.

I am wondering where is the icmp reply packet goes? since F5 can see icmp reply is forwarded to checkpoint VIP.
I suspect it is related to checkpoint VIP.

Does anyone experienced the similar issue?

Checkpoint management server and cluster version is R80.30.

Thanks

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2021-09-21 11:41 AM

Your description definitely helps us hopefully give you a step in right direction. Here are some things I would try:

-if you check route to say 8.8.8.8 on CP, what do you get (from active member run ip route get 8.8.8.8)

-on active fw, if you run fw monitor -e "accept host(8.8.8.8);" ...what do you see?

have you tried running fw ctl zdebug | grep 8.8.8.8 while simultaneously pinging 8.8.8.8 from a duplicate window to see if anything gets dropped?

Andy

0 Kudos
Wei_Soon_Heng
Contributor
Contributor
‎2021-09-21 08:21 PM
In response to the_rock

-Yes, the next hop is F5 devices if the destination is external.
-Only inspection point o and O are seen, no reply packet as same as the output of tcpdump.
-No drop in output of zdebug drop 

I am wondering how does vpn tunnels is working because those initiation ike traffic also pass through the same F5 devices in order to establish with their peers.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-09-21 05:20 PM

Check the mac-address are correct in the packet captures, also is "auto last hop" enabled on the F5?  (Refer: sk83420)

CCSM R77/R80/ELITE
0 Kudos
mcatanzaro
Employee
Employee
‎2021-09-21 08:13 PM
In response to Chris_Atkinson

Adding to what Chris said, if the F5 is sending return traffic to the wrong MAC then you should look at enabling VMAC mode on the cluster. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Wei_Soon_Heng
Contributor
Contributor
‎2021-09-21 08:23 PM
In response to mcatanzaro

How can we check in checkpoint if the F5 is sending return traffic to wrong MAC?

0 Kudos
mcatanzaro
Employee
Employee
‎2021-09-21 08:32 PM
In response to Wei_Soon_Heng

You can use the -e option with tcpdump on the F5 if it supports that flag. I imagine it would but am not the most familiar with that vendor. 

0 Kudos
Daniel_
Advisor
‎2021-09-22 08:20 AM
In response to Wei_Soon_Heng

f5 use linux just as system to access HW. Most (arp, tcp, ssl,...) is handled inside tmm. So you can check ARP/auto-last-hop inside tmsh
show sys connection cs-client-addr <IP-of-Firewall> all-properties

BTW: For outgoing traffic CP doesn't use VMAC!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events