This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
00071491
Contributor
‎2021-07-01 09:56 PM

DHCP Relay Troubles when both Cluster Members are Online

Hello,
 
We're running R80.40 jumbo main Take 77.
 
We're having a strange issue, but are able to replicate it quite easily.  We have an IP subnet which relays DHCP through the checkpoint, back to our internal DHCP server (Windows) to obtain an address.  This is for our Guest network.
 
With both cluster members in an "Up" state via "clusterXL_admin up" as shown below, new DHCP requests fail to obtain an IP Address.
 
[Expert@CP-GW5600-HA:0]# cphaprob state
 
Cluster Mode:   High Availability (Active Up) with IGMP Membership
 
ID         Unique Address  Assigned Load   State          Name
 
1          10.5.5.1        100%            ACTIVE         CP-GW5600
2 (local)  10.5.5.2        0%              STANDBY        CP-GW5600-HA
 
 
If I run a "clusterXL_admin down" on one of the members, it continues to not allow new client DHCP requests nor obtain an IP Address.  On the member that we "downed", if we issue a Reboot on that member and it goes offline for a couple of minutes, the active cluster member then will allow DHCP requests and new clients are able to obtain an IP address.  That client will hang onto its IP address even after the downed member boots back up and goes to a STANDBY state.  If that same client forgets the network, or releases its IP Address, it is then unable to renew or obtain a new address until one of the cluster members goes offline for a reboot.
 
To me, this either appears to be a bug in R80.40 Take 77, or some sort of MAC caching issue with the Cluster VIP when both members are in an Active/Standby state. 
 
The strange part is this happened 2 weeks ago, but rebooting one of the cluster members fixed the issue at that time.  This morning, it started happening again out of the blue with no admins working on the firewalls. 
 
Thoughts on what could be happening and how to solve it? 
 
Rory
Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-07-01 10:07 PM

I assume this worked previously?
Have you done any troubleshooting to see what the issue might be? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
00071491
Contributor
‎2021-07-01 10:26 PM
In response to PhoneBoy

Hi, yes it has been working for a couple years with little to no issues until recently. We’ve been on R80.40 take 77  for 6-8 months with no issues. I’ve been working with CP support and we started to run though that same article you listed but it’s now being escalated and plan to reach out again tomorrow. I figured I’d post here to see if anyone has any suggestions.

At this point, support was unable to find any dropped traffic, but the engineer wanted to escalate it to someone more familiar with tracking down these types of logs and traffic.  

Rory

0 Kudos
SeanAllison
Participant
‎2022-03-13 11:27 AM
In response to 00071491

Hi Rory - did you ever get a resolution for this problem?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events