This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Participant
Saturday

Cluster failover

Having a problem with failover between a pair of 5800 gateways, setup in the same way as other customers so I'm at a loss as to why this is happening.

So, each gateway has a single connection WAN port connected to a Cisco switch. There's no fancy config on the switch. The ISP router is also connected to the switch providing the connection to the internet.

When you fail over the gateways, all outbound traffic is fine but anything incoming fails (eg remote access, web portals etc).

I've traced this to what I believe is an arp issue as the ISP router has the MAC address of the primary gateway, and the arp entries have a 4 hour TTL, that the ISP won't change.

In the advanced settings for the cluster there is a tick box to use virtual MAC, which I thought was ticked by default but in this site it's not. I know this site started out as a single gateway and was upgraded to a cluster quite some time ago (before we were involved) so I wondered if it was something that was legacy and not set during the upgrade back then. So I checked a couple of other customers with similar configurations, where I know for sure that the failover works perfectly and instantaneously, but they also have the use virtual MAC box unticked, so this must be the default setting.

So now I'm at a loss as to what the root cause of this issue is. I'm thinking that possibly the ISP router is outdated plus the 4 hour TTL, could well be the issue, and setting the option to use virtual MAC would be the best way forward.

Has anyone else encountered this type of issue?

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee
Saturday

VMAC is not default but worth trying based on what you've described.

If it wasn't for the stale mac-observation i'd also be checking route next-hops & port-fast settings.

Which version/JHF are involved?

CCSM R77/R80/ELITE
0 Kudos
StevePearson
Participant
yesterday
In response to Chris_Atkinson

Hi Chris,

This is currently running R81.20 take 84, but the issue has been around for a while, even going back to R81.10 with take around 130, but probably earlier.

When you say about next hop and port fast, are you referring to the switch?

Thanks,Steve

0 Kudos
Chris_Atkinson
Employee Employee
Employee
yesterday
In response to StevePearson

Yes portfast enabled on the switchports connecting the firewalls.

Double check that the router is pointing route next-hops to the cluster VIP rather than the physical interface IP.

But again the stale mac is a valid reason to investigate VMAC.

(Likely the ISP router is ignoring G-ARP messages as a potential security risk)

CCSM R77/R80/ELITE
0 Kudos
Lesley
Mentor Mentor
Mentor
yesterday

VMAC is a good option here as posted before. Easy to enable / disable no config required 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events