This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ErikV
Participant
‎2023-04-20 03:08 AM

ISP redundancy: reply to sender MAC instead of gateway MAC

Hi all,

I'm having a connectivity problem since we have connected a new ISP. It seems they have two routers of which one owns the default gateway IP. Nothing strange about that.

But looking at incoming traffic, I see packets arriving for my firewall IP, source IP outside of my directly connected subnet, with different source MAC addresses. Per flow the firewall seems to reply to the source MAC it received the previous packet from, not the ARP entry of the default gateway. I suppose this has something to do with using ISP redundancy, and wanting to have symmetrical flows.

But in this case I suspect it is causing problems. It seems the replies that are sent to other MAC addresses than the MAC of our default gateway (= probably the MAC of the standby router, that still delivers incoming traffic) is dropped at the ISP, since I see multiple SYN-ACKs sent to that MAC and then the session times out. All replies sent to the gateway's MAC address are properly handled.

We are using active-standby ISP redundancy, so in this case there is no need (I think) for this feature, and I would prefer to just reply to the default gateway's MAC instead of the original sender. At least I would like to try to see if this is indeed the cause of our connectivity issues.

Does anyone know more about this behavior, and preferably also know how to switch it off while still using ISP redundancy?

 

Thanks,

Erik

 

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2023-04-20 07:14 AM

Are you able to attach screenshot of the isp redundancy config on the gateway as per below? Please blur out any sensitive info. I work often with customer using ISPR and only issue we had with it was that few months ago, R&D had to give us updated script for it, but other than that, all works fine.

Example below of what I was looking for...

Andy

 

Screenshot_1.png

0 Kudos
ErikV
Participant
‎2023-04-20 07:41 AM
In response to the_rock

Hi Andy,

Thanks for looking into this. See screenshot below! It's not really an issue with ISP redundancy, replying to the MAC address from which the initial packet was received makes sense to keep the traffic flows symmetrical. It's just that our ISP does not seem to accept traffic sent to the standby router, although the standby router does deliver traffic to our firewall.

Regards,

Erik

Capture.PNG

0 Kudos
the_rock
Legend
Legend
‎2023-04-20 08:05 AM
In response to ErikV

Ok, got it...do you see any drops if you do the traffic capture?

0 Kudos
ErikV
Participant
‎2023-04-20 02:21 PM
In response to the_rock

No drops, just retransmits of the SYN-ACK. Going out to the ISP, and no answer...

Regards,

Erik

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-21 01:43 PM

Not sure ISP Redundancy is involved here (or it's not clear if it is).
Recommend a TAC case to assist: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events