This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2024-11-28 08:17 AM

DNS traffic seen over SYNC interface with dummy MAC addresses?

Hello Team, 

 

 

iam totally stunned.
did anybody ever did a tcpdump on the SYNC interface?

today we had an outage of DHCP ... and saw this:

15:39:35.025896 LANX1 Out ifindex 4 00:1c:7f:b8:08:a7 ethertype IPv4 (0x0800), length 375: 10.10.227.253.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 327


15:39:35.025942 LANX2 In  ifindex 5 02:0b:0c:00:00:01 ethertype IPv4 (0x0800), length 375: 10.10.227.253.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 327

00:1c:7f:b8:08:a7 is my lovely Appliance (Quantum Spark 1900, R81.10.15)
10.10.227.253.67 > 255.255.255.255.68 my DHCP reply as i would expect it 

but what is 
02:0b:0c:00:00:01 and it sends with the IP of my FW???

people had severe DHCP issues, no lease optained a ton of "Local Adress Spoofing" logs

Suddenly it got better, noi idea why

i searched for this MAC and made a tcpdump on all my inteface to find it ... and here it is .. on the SYNC!

[Expert@NWATKOEFIRE01]# tcpdump -penni LAN18 not 8116
tcpdump: can't parse filter expression: syntax error
[Expert@XXXXX]# tcpdump -penni LAN18 not port 8116
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on LAN18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:13:52.872584 dc:68:0c:75:de:fb > 01:80:c2:00:00:00, 802.3, length 105: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102
17:13:53.063239 02:0b:0c:00:00:01 > 00:1c:7f:b8:08:a5, ethertype IPv4 (0x0800), length 85: 10.254.5.139.54191 > 10.10.2.23.53: 12243+ A? delivery.mp.microsoft.com. (43)
17:13:53.063259 02:0b:0c:00:00:01 > 00:1c:7f:b8:08:a5, ethertype IPv4 (0x0800), length 76: 10.254.5.139.54191 > 10.10.2.23.53: 57262+ A? appex-rf.msn.com. (34)
17:13:53.063273 02:0b:0c:00:00:01 > 00:1c:7f:b8:08:a5, ethertype IPv4 (0x0800), length 69: 10.254.5.139.54191 > 10.10.2.23.53: 30101+ A? aadrm.com. (27)

i checked other FWs as well!
i see this on all FW´s  (Ful GAiA R81.20, HFA8X) i have checked, non existing MAC´s are doing DNS, mostly DNS to the configured DNS Servers, with the SRC IP of the proper interface according the routing table ...

for example:

16:50:50.451160 02:0b:02:00:00:01 > 00:1c:7f:a1:b2:82, ethertype IPv4 (0x0800), length 74: 10.254.4.99.41885 > 10.10.1.22.53: 1547+ A? checkpoint.com. (32)
16:50:50.451186 02:0b:02:00:00:01 > 00:1c:7f:a1:b2:82, ethertype IPv4 (0x0800), length 74: 10.254.4.99.57458 > 10.10.1.23.53: 1547+ A? checkpoint.com. (32)

could somebody enlighten me?
thank you!


0 Kudos
13 Replies
the_rock
Legend
Legend
‎2024-11-28 08:31 AM

Hm...that is odd. I just tested in the lab and when I initiate traffic on windows 11 PC behind my cluster, dont see any of this. Below is all I get.

Andy

[Expert@CP-FW-01:0]# tcpdump -enni eth3 not port 8116
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
11:27:27.901405 e8:1c:ba:4e:89:87 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 172.16.10.69 tell 172.16.10.1, length 46
11:27:28.901550 e8:1c:ba:4e:89:87 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 172.16.10.69 tell 172.16.10.1, length 46
11:27:28.938840 8c:85:c1:a6:23:31 > 01:80:c2:00:00:00, 802.3, length 105: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1s, Rapid STP, CIST Flags [Learn, Forward, Agreement], length 102
11:27:28.981573 e8:1c:ba:4e:89:87 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 172.16.10.21 tell 172.16.10.1, length 46
11:27:29.216280 ac:71:2e:70:39:c9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 172.16.10.69 tell 172.16.10.68, length 46
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
[Expert@CP-FW-01:0]#

0 Kudos
the_rock
Legend
Legend
‎2024-11-28 08:33 AM
In response to the_rock

@Thomas_Eichelbu 

FWIW, not sure if this might be related, but this is how I always set it up in topology for the sync.

Andy

 

Screenshot_1.png

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-11-28 08:37 AM
In response to the_rock

ok ok, why defined by routing table, i do 

+ if its not a transfer link, nor any other Anti Spoofing groups etc.


Leads to This Network (Internal)
Sync.PNG

0 Kudos
the_rock
Legend
Legend
‎2024-11-28 09:09 AM
In response to Thomas_Eichelbu

Yea, that should work as well, but I found with setting I have works the best.

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-11-28 08:34 AM
In response to the_rock

Hello

This is exactly what all my customers ask, "Are we the only one with this problem?"
i just say,  Yes you are.

 

 

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-11-28 08:45 AM
In response to Thomas_Eichelbu

Ahhh maybe its this:


Traffic from the Standby member to any other host goes through the SYNC interface
https://support.checkpoint.com/results/sk/sk167453

it caused  so much panic .. 

0 Kudos
the_rock
Legend
Legend
‎2024-11-28 09:10 AM
In response to Thomas_Eichelbu

I found that same sk before, but forgot to send.

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-11-28 12:26 PM
In response to Thomas_Eichelbu

Are you sure MAC of SYNC interface is really 02:0b:0c:00:00:01 ? Looks very strange, maybe you have enabled Virtual MAC (VMAC) feature ?

EDIT: Looks like that "unknown" MAC is forwarding MAC from standby member. Have a look on this thread. Not documented at all...

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
‎2024-11-28 04:17 PM
In response to JozkoMrkvicka

Great point!

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-11-29 01:24 AM
In response to JozkoMrkvicka

Hello, 

yes valid question, but no, no VMAC enabled.
but yes the Standby Member sends his self originating traffic though the Active Member. Thats really a nice gesture 🙂

let me dive into your linked thread ... 
https://community.checkpoint.com/t5/Security-Gateways/Unknown-MAC-address-used-by-Standby-node-in-Cl...

it just caused a lot of headache, the customer is highly unrelaxed .. .

Also it doesnt explain why DHCP did stop suddenly, and worked again after a cluster fail over.
And i see permanent drops for Local Address Spoofing

@@;206019184;[cpu_3];[fw4_3];fw_log_drop_ex: Packet proto=17 10.10.227.253:67 -> 255.255.255.255:68 dropped by fw_local_anti_spoofing Reason: local interface spoof

also interesting, but my MAC is different, ok Quantum Spark. On Full GAiA its 00:01:00:00:fd:01


"Returning traffic from the active to the standby uses the MAC address 00:01:00:00:fd:01 or 00:01:00:00:fd:00"
https://support.checkpoint.com/results/sk/sk178664

0 Kudos
the_rock
Legend
Legend
‎2024-11-29 03:58 AM
In response to Thomas_Eichelbu

Speaking of VMAC, Im curious what you guys think about it. I always get mixed results/answers and it all depends who you ask, if you will.

I mean, to me, logically, it all depends of type of switch used, but I had seen issues where enabling it can cause lots of issues.

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

0 Kudos
the_rock
Legend
Legend
‎2024-11-28 09:09 AM
In response to Thomas_Eichelbu

hahaha, I feel your "pain" lol

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top