This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ykpark
Contributor
‎2022-11-08 12:07 AM

Problem with proxy ARP service.

Dear all,

I have a question.

Firewall deployment mode is HA (active/standby). (version is R80.40)
When fail-over occurs, there are problems with some services.

When I checked, it was confirmed that there is a problem only in the services registered in Proxy ARP.

Registered with reference to sk30197.

I'm looking for experience in solving cases similar to mine.

Thanks

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-08 01:32 AM

Does the issue resolve after installing policy, what JHF is installed?

Where possible routing addresses/subnets towards the cluster is a common alternative to the use of proxy-ARP.

 

CCSM R77/R80/ELITE
0 Kudos
(1)
ykpark
Contributor
‎2022-11-08 08:38 PM
In response to Chris_Atkinson

Jumbo hotfix version is 118.

Is it correct that the proxy arp information registered in fw1 is updated with the proxy arp information registered in fw2 if it fails over?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-08 11:13 PM
In response to ykpark

Recommend upgrading from Take 118 to a newer/recent one as there are known issues around that take level and is over a year old.

 Yes per Tim's earlier reply GARP (gratuitous ARPs) messages are sent to update the routers so long as they don't block/filter those.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-11-08 05:44 AM

Possible your adjacent routers don't like the gratuitous ARPs issued by the new active member upon failover.  In that case you either need to turn that protection off (ARP state tracking) on them, or set for VMAC mode on the cluster object.  However if you do that, make sure all switchports the cluster members are plugged into are configured for portfast to set STP Listen/Learn timer to zero.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
ykpark
Contributor
‎2022-11-08 08:51 PM
In response to Timothy_Hall

Thank you for your update.

Peer switches are all configured with portfast.

If there is a failover from fw1 to fw2, there is no problem with the end-user Internet service, but only the IPs registered with Proxyarp have a problem with the service.

For example, Proxyarp also has a DNS server registered. There is a problem when querying with an internal DNS server from outside.

If the fw1 equipment is restored again, the problem will be solved.

Is there any expected problem or cause?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-11-08 09:38 PM
In response to ykpark

Is there any expected problem or cause?

Please read my prior reply again.  I already answered your question.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
ykpark
Contributor
‎2022-11-08 09:51 PM
In response to Timothy_Hall

Thank you for your answer. Thank you

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events