This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Meleiro
Contributor
‎2023-10-03 01:33 AM
Jump to solution

R81.20 address problems

Since yesterday we are experiencing a rather unusual and strange issue with one of our 3100 R81.20 (Take 26). Traffic stopped flowing all of a sudden. From the logs it was registered going out but no inbound traffic was happening. After a lot of fumbling around, we've changed the gateway External IP address and traffic begun flowing again. This morning, same issue. Reverting the IP address back to the original solved, at least by now. Has anyone ever experienced such an problem?

Regards

Rui Meleiro    

0 Kudos
1 Solution

Accepted Solutions
Rui_Meleiro
Contributor
‎2023-10-04 09:17 AM
In response to Timothy_Hall
Jump to solution

Not using VMAC mode. Nevertheless, after a power cycle to the ISP router the problem was solved as of now. I guesstimate the problem was on that router and not the appliance. 

View solution in original post

(1)
10 Replies
_Val_
Admin
Admin
‎2023-10-03 02:03 AM
Jump to solution

Sounds like an urgent TAC case

0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2023-10-03 02:09 AM
Jump to solution

Hi Rui,

ARP issue perhaps?  Next time it happens, try doing a cluster failover, or if it's a single appliance run the following command:

#arping -c 4 -A -I eth1 10.20.10.20

Just replace 'eth1' with the correct interface and the IP address with whatever is configured on that interface.

0 Kudos
Rui_Meleiro
Contributor
‎2023-10-03 02:40 AM
In response to Ruan_Kotze
Jump to solution

Thank you for your insight, Ruan. My first though was also ARP, and have flushed all dynamic ARP tables on switchs and routers, including the appliance. Not sure how an arping probe will further that, but I'll make sure to check it. 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-10-03 04:51 AM
Jump to solution

What does fw ctl arp show when the issue occurs?  Are you using a cluster?

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Rui_Meleiro
Contributor
‎2023-10-03 05:16 AM
In response to Timothy_Hall
Jump to solution

Hadn't had the chance to get that while the issue was happening. At this moment - last IP address change is ongoing without any issues - I get all of the IP addresses listening on the same segment, using the same interface mac address the gateway has. Gateway IP is x.x.x.27 and IPs x.x.x.28 and x.x.x.29 are shown. This is a standalone gateway.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-10-03 06:16 AM
In response to Rui_Meleiro
Jump to solution

We upgraded customer recently to R81.20 and only weird issue I recall they had was that lost of users had their MS teams and zoom get disconnected randomly, but it was fixed by allowing all users to access all ms teams/zoom apps by creating a rule within internal layey in network ordered layer.

I cant say why that happened, but Im fairly sure its due to R81.20, as it was never an issue before upgrade (R80.40 and R81.10)

Anyway, onto your problem. I agree with the guys, sounds like an ARP problem. Do fw ctl zrp as @Timothy_Hall advised, but I also second what @_Val_ said. It definitely warrants call to TAC, as it rather sounds like an urgent problem.

You can also simply run arp when it works and when its broken and compare.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-10-03 06:22 AM
In response to Timothy_Hall
Jump to solution

I have seen proxy ARP issues with R81.20 Take 24 so very interested to see the output of fw ctl arp when it happens.  I assume you are not using VMAC mode?

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Rui_Meleiro
Contributor
‎2023-10-04 09:17 AM
In response to Timothy_Hall
Jump to solution

Not using VMAC mode. Nevertheless, after a power cycle to the ISP router the problem was solved as of now. I guesstimate the problem was on that router and not the appliance. 

(1)
Rui_Meleiro
Contributor
‎2023-10-04 09:17 AM
Jump to solution

Thank you all for the valuable input.

(1)
the_rock
MVP Diamond
MVP Diamond
‎2023-10-04 10:16 AM
In response to Rui_Meleiro
Jump to solution

Happy to hear its fixed.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events