Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wei_Soon_Heng
Contributor

CheckPoint Cluster behind F5 Load balancer unable to reach to internet

Hi All,

I am facing a strange issue where a pair checkpoint cluster(located behind F5) unable to reach internet. We need checkpoint cluster to have internet access to download geolocation package from CP cloud, client want to enable the geolocation feature.
CheckPoint cluster is not holding any public IP , it will being nated at F5 when go over internet.

Troubleshooting step that have been done:
-Ping from both cluster member to F5 devices is success, but ping from checkpoint cluster to external(e.g 8.8.8.8) , packet is being forwarded from gateway via output of tcpdump but no reply packet is received.

-Output of tcpdump in F5 showing that  echo-reply have been returned to checkpoint but checkpoint does not show any receiving of icmp reply packet. Checked in checkpoint that there is no drop in firewall rule or kernel and interfaces level.

-Arp table in F5 devices shows that the mac address of CheckPoint VIP is bind to active member

-Meanwhile, this cluster have few working site-to-site vpn tunnels that established via through F5 devices.

-Tried failover of cluster member, it still does not resolve the issue.

-We have another single distributed checkpoint gateway that connect to the same F5 devices, it is able to reach internet and download the geolocation packages.

I am wondering where is the icmp reply packet goes? since F5 can see icmp reply is forwarded to checkpoint VIP.
I suspect it is related to checkpoint VIP.

Does anyone experienced the similar issue?

Checkpoint management server and cluster version is R80.30.

Thanks

0 Kudos
7 Replies
This widget could not be displayed.