This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nooni
Collaborator
Collaborator
‎2022-10-06 04:10 AM

Problem with traffic from standby member to radius

Hi

 

We are having some issues with radius authentication from standby member in a cluster that

consists of two open server nodes (vmware virtual machines) running R80.40.

 

Both nodes have radius server authentication configured but it is only possible to login to the active node.

If we switch roles from active to standby the other node that becomes active works.

 

We have traced traffic and traffic goes from Standby node over via Active node to Radius server.

Radius server is responding back to cluster IP and is visible on Active node but then no return traffic is visible on the standby.

 

The following steps have been made in attempts to correct the issue:

In VMWARE, disable Forged Mac Address on Sync portgroup

We have tried to toggle these Kernel parameters:

fwha_cluster_hide_active_only

fwha_silent_standby_mode

fwha_forw_packet_to_not_active

 

But no difference at all, no reboot was made just toggle the flags on the fly.

 

Any suggestions on how to further check this issue are welcome 🙂

 

Thanks

 

//Rickard

 

0 Kudos
5 Replies
Sorin_Gogean
Advisor
‎2022-10-06 04:56 AM

hey,

 

we're also using Radius (Cisco ISE) to authenticate/authorize access on the appliance.
as I know we don't have any issue, as we have the appliances registered in ISE by LAN IP and Management IP address .

 

also I see you have them as virtual machines, our virtual ones are single appliances, so no HA there and no Radius problem also .

when you try to perform an Radius authentication on the secondary box, can you also have an SSH session (in expert mode maybe) and do a TCPDUMP on LAN/Management towards Radius IP and see what you get there.

 

I would say it's normal to see traffic in the ACTIVE box, as you would route through that one towards RADIUS Server - not sure on your set-up.

 

ty,

0 Kudos
nooni
Collaborator
Collaborator
‎2022-10-06 05:24 AM
In response to Sorin_Gogean

Hi,

Yes as far as i understand the traffic flow is as expected.

But the problem is that return traffic does not seem to reach the standby.

If we listen for traffic at Radius we see traffic from Active node with cluster IP as source and return.

0 Kudos
Sorin_Gogean
Advisor
‎2022-10-06 07:17 AM
In response to nooni

"If we listen for traffic at Radius we see traffic from Active node with cluster IP as source and return." - sorry but you have smth WRONG there. 
if I ask RADIUS AUTH from standby, then the RADIUS server should see the packet coming from the standby appliance (IP address). 

several details are missing, as you should not route standby traffic over ACTIVE GW, unless you have some weird routing/set-up and some NAT in place - that would explain you seeing Active Node IP on an Secondary Node return.

 

so can you sketch smth in paint - how are things connected and what communicates with what ?

 

ty,

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-10-06 07:33 AM

What network/interface is the Radius server located on/via relative to the firewall?

When configuring the above kernel parameters did you also adjust your NAT policy to compensate?

For the Radius configuration what "NAS IP Address" value is set and what is ISE configured to allow? 

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-06 09:21 AM

What JHF are you on?
I'd ensure you're on at least the latest GA JHF.
See: https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm?tocpath=_____3 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events