This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2020-06-11 01:44 AM

Traffic originating from standby VS fails to reach DNS

Have a peculiar problem after introducing Virtual Router on our VSX to interconnect most VSes on that cluster.

If traffic originates from a VS on the standby VSX and it needs to reach another VS (i.e. Identity Sharing on port 15105) or a service that's behind another VS (i.e. DNS for FQDN objects), it will stop dead in it's tracks at the standby VR - I'm assuming VR is not forwarding traffic as it is in standby state. Diagram below might help understanding the issue:

image.png

 

I'm not too sure if anyone else has seen it? And possibly found a solution. I tried to search SKs but did not find anything relevant. 

Seems like obvious solution in HA VSX case, would be first forwarding packet from standby VS1 to active VS1, then routing it normally via active VSX. And when packet is returned to active VS1, it would forward it back to originating standby VS1. This way we would resolve both FQDN case and IA publishing.

Currently we have lots of domain alerts in logs from standby VSX:

image.png

 

as well as standby VS that's publishing IDs to other VSes is marked as "failed" in SmartConsole:

image.png

 

 

 

0 Kudos
7 Replies
Wolfgang
Authority
Authority
‎2020-06-11 02:25 AM

@Kaspars_Zibarts 

I think the standby instance of the virtual-router on the standby VSX does nothing, did not forwarding any traffic.

This is following virtual-router is only supported with VSX-HA.

If something on the standby node needs to access something behind another VS, the traffic flow has to go over the virtual-router on the active node.

regards

Wolfgang

 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-06-11 03:04 AM
In response to Wolfgang

Exactly! That was my question! 🙂 But how do you force a standby VS to communicate to active VR / VS?

0 Kudos
Wolfgang
Authority
Authority
‎2020-06-11 04:40 AM
In response to Kaspars_Zibarts

@Kaspars_Zibarts are these DNS and PEP connections NATed behind the internal VSX-IP of the VS?

They should leave the system with the "real" IP of the VS. If I remember rightly there was a problem with PEP in ClusterXL and a wrong NAT for the physical node. Maybee the problem is the same here with VSX. But right now I can't found the sk 😞

Wolfgang

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-06-11 11:52 PM
In response to Wolfgang

No, NAT does happen correctly and no internal VSX IPs are used once traffic islis VS. Otherwise it would not work on active VSX either.

0 Kudos
Jan_Kleinhans
Advisor
‎2020-07-02 11:10 PM

Hi.
Have you found a solution for this problem? We are not using Virtual Routers but have the same problem that the standby VSses cannot reach DNS or other destinations.
Are you using R80.40 ?

Best regards,

Jan
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-07-03 04:20 AM
In response to Jan_Kleinhans

Nope. We're on R80.30 T155. But the problem is only present when VR is in the path. Those VSes that have direct physical connection or via virtual switch work ok. So I believe you have uncovered totally different problem on R80.40

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-08-23 03:32 PM
In response to Kaspars_Zibarts

Interestingly enough the issue was resolved after I installed T215 (from T155)! Not too sure if anyone was still interested, but here you go! 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events