This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pawpus
Explorer
‎2022-11-06 04:49 PM

VSX Lab Issue

I'm running R81.10 with JF 78 in a lab environment to try and understand VSX but I am having a weird issue and not sure if its NAT or ARP related or not. I have a machine behind each VS in a different subnet and I am able to successfully ping each other but I am unable to ping the internet router.

 

fw monitor shows the traffic entering the physical interface (i and I) and out the warp interface (o and O) but I dont see the return the traffic. I have automatic static NAT set and I see the NAT being applied for both small o and big O but no return traffic.

 

Its my understanding that the Virtual Switch is just a simple layer 2 switch and fw monitor doesn't show any traffic on the outgoing physical interface but I suspect that is expected behavior. tcpdump does show the NATted traffic egressing but no return traffic.

 

I could see the arp on the Virtual System was coming up as incomplete and put in a static arp entry in to see if that would fix the issue, but still not joy.

 

Is there a way to see the mac address table? Since its a L2 device I am not going to see ARP. It shouldn't be a routing issue as these are all directly connected subnets and I am propagating all the routes as well.

 

High Level Diagram

 

   Internet Router

              |

   Virtual Switch

|              |               |

VS2      VS3          VS4

FW1       FW2        FW3

 

Any ideas on where to check next? I am not sure if i'm missing something as my experience has been with physical gateways and not VSX.

 

 

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2022-11-07 05:38 AM

I assume you are pinging the routes from the internal networks and not VSs themselves. The latter won't work. If you do, please run fw monitor as the first diagnostics tool.

0 Kudos
pawpus
Explorer
‎2022-11-07 05:30 PM
In response to _Val_

Yes I am pinging them from networks behind the VSs.

In fw monitor I am able to see the traffic enter the physical interface (ethX) and egress out the warp interface. I am pretty sure its a L2 issue at this point.

0 Kudos
the_rock
Legend
Legend
‎2022-11-07 05:46 PM
In response to pawpus

Are you able to attach the actual fw monitor capture file here and give us the IP addresses affected? If we could open in it in wireshark, it may shed more light as to why its failing. Though, I agree with you, sounds like L2 issue to me as well.

If you do traceroute, where exactly does it fail?

0 Kudos
pawpus
Explorer
‎2022-11-07 06:30 PM
In response to the_rock

I am pretty sure I have found the issue. I think this is a VMware issue and its due to promiscuous mode not being enabled on the virtual switch. I have reached out to the team that manages it and its also NOT something I can get changed.

I may try and rebuild this LAB in workstation instead and hopefully I will have more luck.

0 Kudos
_Val_
Admin
Admin
‎2022-11-08 04:58 AM
In response to pawpus

Yep, that must be it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top