Thanks for that information. However, I would like to know Unknown MAC address belongs to Checkpoint or not? How can we ensure that?

There is no aymmetric connection issue here.

Chris is correct it is indeed expected behavior. As far as unknown MAC, can you verify if that MAC is indeed showing either in cphaprob -a if or ifconfig -a command?

Andy

There is no such MAC address obderved by running suggested commands

Do you see the same mac-address when both cluster members are on the same ESX host?

Possibly correction layer mac-address TAC should be able to help confirm.

I dont think so this is specific to ESX host. I am getting same in Checkpoint appliance standby node as well.

But your cluster works fine otherwise? No failover issue?

Cluster works absolutely fine. Only issue with Standby node unable to communicate outside world, that too fixed after allowed Forged transmits in ESX but we want to understand from Checkpoint why this behaviour and where these MAC address were getting generated?

Why it not forward packets with actual standby sync interface MAC address as Source MAC?

I dont have any more ideas, sorry mate. Maybe open a TAC case and see what they say. Personally, I had never seen that before.

No issues @the_rock . Have already TAC case opened but no useful update from them. I have figured out all these things by myself. Let me see, what they will answer for this Unknown MAC.

Thanks for your response 🙂

One MAC is from EQUIP'TRANS (see above) - 02:56:2e:00:00:01 is not tied to a vendor. All CP appliances interface HW MACs are in the form: 

00:1C:7F:xx:yy:zz

Not getting your point. @G_W_Albrecht @_Val_  Standby member uses same kind of MAC address to forward traffic to other hosts irrpespective of type of deployment (Deploy in Physical server such as HP or deploy as VM in esx host or Checkpoint appliance).

So, Checkpoint has to answer.

Check Point is two words. 

What I see from your original post, you see traffic being forwarded from the standby member to the active member. This is normal for some limited scenarios, where a few connections may still be handled by a standby member after failover. These connections should be then forwarded to the active member and sent out.

To do that, a standby member is forwarding packets using an artificial MAC address. This is part of ClusterXL tech. The last octet of that artificial MAC address is a function of your cluster ID.

Depending on the version of your FWs (which you failed to mention) this forwarding can be done via sync or via production interfaces of your cluster. 

If you see a lot of forwarded traffic, you should investigate why production traffic hits the standby and not the active member, and fix the issue.

In your case, who is pinning 8.8.8.8 through standby member?

Cluster running in Gaia R81.10 version. I only ran ping 8.8.8.8 to test internet connectivity from standby firewall. Production traffic always hits active firewall not stanbdy. There is no issue with production application traffic.

Here, the issue that we are talking about connection initiated by standby member. Probably, I will wait for assigned engineer from Check Point to address my queries through remote session.

Keep us posted, very interesting issue indeed.

It is only interesting if one does not know how ClusterXl works, @the_rock  🙂

@_Val_ lol, thats it : - )

This is by design, see about forwarded traffic once mode. 

Still my question not answered. Where is the proof from Check Point, this is by design? Can you point to any SK article or public document please?

Sending traffic from Standby node to Active node for any communication by design is okay to accept but packets with unknown source MAC address is something I want to know and ensure that it belongs to checkpoint. Remember ESX blocking this traffic by MAC address Forging. 

I agree with you 100%. Please keep us posted what TAC says.

Thanks so much @_Val_  for the information. I could see fwha_forward_mac_magic has decimal value of 253 which is equivalent to 'FD' in hexadecimal. Also, I assume that it takes 00 (as ID of target member) for member with highest priority and 01 (as ID of target member) for member with lower priority for version R81.10 atleast, I have verified with few cluster gateways and got same id in source MAC. Also Can you confirm in R81.10, the default forwarding Source MAC format is something like this "00 01(not sure what this value but i could see its same in all cluster members) 00 00 fd (forward mac magic id) 01/00 (id of target cluster member)" ?

Can you correct me if anything I misunderstand in above sentence?

I also would like to know actual source MAC address where connection initiated i.e., 02:56:2e:00:00:01 (Unknow MAC). How this was calculated?

Both magic MAC and forward-magic MACs are function of a Cluster-ID, which is in your case 1. They differ in 1 bit.

The source forwarding MAC is the reversal of forward-magic MAC, i.e. 00:00:00:00:00:00 minus your forward_magic MAC.

Once more, these are very advanced settings that are not well documented.