- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: VRRP failover issue (SG6900 10Gbps)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VRRP failover issue (SG6900 10Gbps)
Hi
The customer's equipment was changed from SG23800 to SG6900 equipment.
Versions are R80.20 to R80.40.
And a 10Gbps add-on module is inserted.
- Line card 1 model: CPAC-4-10F-C
- Line card 1 type: 4 ports 1/10GbE SFP+ Rev 4.0
the customer company consists only of an external interface and an internal interface, and it is VRRP.
As for the issue, when Bypass mode is activated in the DDOS device above the Check Point firewall, the firewall will be in the following state.
FW_A, External Interface = Master / Internal Interface = Master
FW_B, External Interface = Backup / Internal Interface = Master
We tested the internal interface by directly connecting the firewall to each other, but the results were the same, and we also confirmed that the hello packet was sent normally.
However, SG23800 configured with R80.40 and tested with the same hotfix, but no symptoms occurred.
Also, when I test the UTP which is onboard on the SG6900, the symptoms do not occur.
I suspect it is a driver firmware issue that appears when an additional module is inserted into the SG6900 or quantum device.
Have you ever experienced or resolved the same symptoms as me?
Currently, I am in the process of opening a case.
PS. R80.40 has been tested from No Hotfix to the latest ongoing hotfix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please confirm the following...
* Which JHF version for R80.40?
* VLANs or Physical interfaces?
* Must configure firewall rule to accept VRRP packets sent from VRRP routers to multicast IP address 224.0.0.18.
* When using VRRP VMAC mode, both spanning tree and IGMP snooping must be disabled to avoid split brain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the reply.
However, we configured and tested the same internally,
and the interface at the bottom of the firewall was directly connected to each other, but the same problem occurred.
It doesn't appear to be a switch issue in my opinion.
I Think This is an obvious bug.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please report the case to TAC for assistance, note certain NIC card versions were only "supported" from JHF T139 GA but this doesn't appear to apply in your case.
PRJ-26926, PMTR-69753 |
Gaia OS | NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
It might help you resolve this issue if you are using "VMAC mode: VRRP".
# ethtool --set-priv-flags ethX disable-source-pruning on
I also had a similar issue.
In my lab it occured when I used the interface card "CPAC-4-10F-C" and the driver "i40e" and "VMAC mode: VRRP" on the interface card.