This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
‎2023-10-23 03:19 AM

Secondary gateway cannot ping its default gateway.

Situation as follows: 2 x 3200 appliances on R80.30 jhfa take 237 (yes, I know). They were relocated over the weekend, external IPs changed, all good. Both appliances are up, active member is fine and passing traffic, ClusterXL reports all is well. The secondary appliance cannot ping its own default gateway, interface is up and topology is correct, no ARP entries at all, default route won't become active. Management cannot reach the box to put policy on (fw unloadlocal doesn't help). The link to the ISP is working, we've put a laptop on the same cable the FW was plugged into and given it the same IP and it works no problem.
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2023-10-23 03:21 AM

Can it ping if it becomes active?

0 Kudos
khodgson_bts
Contributor
‎2023-10-23 03:22 AM
In response to _Val_

We've not tried that yet. At the moment the site is live and we cannot have any downtime.

0 Kudos
_Val_
Admin
Admin
‎2023-10-23 03:35 AM
In response to khodgson_bts

This may be normal, depending on the details of your configuration. With R80.40 and up, traffic from standby goes through sync interface towards the active member, see sk167453. 

Try running traces to see where packets are "lost". 

0 Kudos
khodgson_bts
Contributor
‎2023-10-23 03:45 AM
In response to _Val_

All we are getting is "network unreachable" from traces and pings. Regardless of active/standby status, the device should be able to ping its own default gateway. The route is not even showing as active in the routing table.

0 Kudos
_Val_
Admin
Admin
‎2023-10-23 04:06 AM
In response to khodgson_bts

Please look into the SK I already provided, you will see that it is a bit more complicated with ClusterXL

Assuming you have policy installed on the new appliance, and the cluster is running in Active/Standby, it should be all good. 

However, by traces I mean, try to understand where exactly ICMP is broken. You can do that by running "fw monitor" on both standby and active cluster members. You can also check logs for drops of the relevant traffic.

0 Kudos
_Val_
Admin
Admin
‎2023-10-23 04:11 AM

Oh boy, I just re-read your post, you are running an unsupported R80.30. This changes everything. 

Please look into a similar thread in the community: https://community.checkpoint.com/t5/Security-Gateways/ClusterXL-standby-cannot-reach-gateway/m-p/257...

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top