This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ChoiYunSoo
Contributor
‎2022-03-07 01:40 AM

VRRP failover issue (SG6900 10Gbps)

Hi 

The customer's equipment was changed from SG23800 to SG6900 equipment.

Versions are R80.20 to R80.40.

And a 10Gbps add-on module is inserted.

- Line card 1 model: CPAC-4-10F-C
- Line card 1 type: 4 ports 1/10GbE SFP+ Rev 4.0

 

the customer company consists only of an external interface and an internal interface, and it is VRRP.

As for the issue, when Bypass mode is activated in the DDOS device above the Check Point firewall, the firewall will be in the following state.

 

FW_A,      External Interface = Master / Internal Interface = Master

FW_B,      External Interface = Backup / Internal Interface = Master

 

We tested the internal interface by directly connecting the firewall to each other, but the results were the same, and we also confirmed that the hello packet was sent normally.

 

However, SG23800 configured with R80.40 and tested with the same hotfix, but no symptoms occurred.

Also, when I test the UTP which is onboard on the SG6900, the symptoms do not occur.

 

I suspect it is a driver firmware issue that appears when an additional module is inserted into the SG6900 or quantum device.

Have you ever experienced or resolved the same symptoms as me?

Currently, I am in the process of opening a case.

 

PS. R80.40 has been tested from No Hotfix to the latest ongoing hotfix.

 

 

22.png

 

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-03-07 02:10 AM

Please confirm the following...

* Which JHF version for R80.40?

* VLANs or Physical interfaces?

* Must configure firewall rule to accept VRRP packets sent from VRRP routers to multicast IP address 224.0.0.18.

* When using VRRP VMAC mode, both spanning tree and IGMP snooping must be disabled to avoid split brain.

 

CCSM R77/R80/ELITE
0 Kudos
ChoiYunSoo
Contributor
‎2022-03-07 05:26 PM
In response to Chris_Atkinson

thank you for the reply.

However, we configured and tested the same internally,

and the interface at the bottom of the firewall was directly connected to each other, but the same problem occurred.

It doesn't appear to be a switch issue in my opinion.

I Think This is an obvious bug.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-03-07 06:03 PM
In response to ChoiYunSoo

Please report the case to TAC for assistance, note certain NIC card versions were only "supported" from JHF T139 GA but this doesn't appear to apply in your case.

PRJ-26926,
PMTR-69753		 Gaia OS NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.
CCSM R77/R80/ELITE
0 Kudos
Takeharu_Mineta
Explorer
‎2022-03-15 06:11 PM
In response to ChoiYunSoo

Hi

It might help you resolve this issue if you are using "VMAC mode: VRRP".

# ethtool --set-priv-flags ethX disable-source-pruning on

I also had a similar issue.
In my lab it occured when I used the interface card "CPAC-4-10F-C" and the driver "i40e" and "VMAC mode: VRRP" on the interface card.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events