This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SinisaZG
Contributor
Contributor
‎2023-11-16 03:22 AM

VSX-Virtual switch issue

Hi guys,


I am working on a project in a VSX Cluster environment (16200 appliances)

I created three virtual systems. One of them is VPN concentrator.


I created a virtual switch and  and I assigned a public IP address. I will use it for Remote Access.
I put together a remote access VPN which si basic.

 

I have a few difficulties:

First when I try to connect with the VPN client, it tells me the server is unavailable.                    Again, we are talking about a fairly simple setup that I have done many times.                           Added IP address as if it doesn't exist outside the VSX segment.                                                        Arp entries show nothing

The second issue is that I can't assign VPN Office Mode (using IP pool)                                        

I tried with solution sk111785 and described in:

https://community.checkpoint.com/t5/Security-Gateways/Configure-Client-VPN-on-VSX/td-p/94678

No result at all!!

BUT when I remove/delete the Virtual switch from Virtual system/VSX Cluster and add a physical interface to the virtual system with same IP public address everything works as it should.

I tried several times to create a new Virtual switch and I get the same results.                                     I need a Virtual switch because later I will share that interface with another virtual system.       The port that I want to share contains a range of public IP addresses so that it can be used on multiple virtual machines

 Does anyone have any suggestions, whether this is a limitation, a bug or something else?

Regards,

 

Sinisa

 

 

 

 

Labels
0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-16 04:02 AM

Please share the version & jumbo take applied to the environment for context?

CCSM R77/R80/ELITE
0 Kudos
SinisaZG
Contributor
Contributor
‎2023-11-16 04:05 AM
In response to Chris_Atkinson

Sorry I forgot to write that

R81.20, take 26

 

Thanks for your reply! 

0 Kudos
SinisaZG
Contributor
Contributor
‎2023-11-16 05:16 AM
In response to SinisaZG

I don't know if it is useful information;

I have a similar setup on a Multidomain environment with VSX and everything works as it should.  So the problem is present only with the virtual switch on VSX on one tenant/domain

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-16 01:43 PM

Did you set Link Selection in the relevant VS to the correct IP?
I presume this will be required since you're not using the main IP of the VS...

0 Kudos
SinisaZG
Contributor
Contributor
‎2023-11-17 12:10 AM
In response to PhoneBoy

Thank you for your reply.

Link Selection is set to that IP address.


As far as I can see I have two options;

Delete the existing VS create it from the start and test it again (not exactly a proper solution for production) OR involve the TAC team for that.

 

 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-17 12:46 AM
In response to SinisaZG

@SinisaZG did you checked twice the assignment of interface/bond and/or VLAN to the vswitch and your VS ? Was a policy install done to the specific VS after changing the interface topology to the vswitch ?

 

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2023-11-17 01:06 AM

Maybe you're using Proxy ARP and need to adapt the relevant local.arp files.

0 Kudos
SinisaZG
Contributor
Contributor
‎2023-11-17 02:11 AM
In response to Alex-

I found where the problem is/was. The link selection option does not work                                          When creating VS, the first interface created is Main. I usually create the LAN side first.              Later I added the WAN interface. 
The IP on the WAN interface is also the address of the VPN concentrator. I set that IP address to Link Selection. 
After several checks, VS persistently puts the address from the interface I created first (LAN side)  And this only applies when we use a virtual switch. Link Selection works when I use a physical port

 I deleted VS and created a new one, but this time the WAN interface was created first.       Everything works now.

I recreated the first scenario again and it doesn't work again.

The lesson of the story is that link selection does not work when we want to use another connection and we have only virtual switches on VS.

Over the weekend I will create this scenario in the LAB and test it again.

 

 

 

 

 

0 Kudos
SinisaZG
Contributor
Contributor
‎2023-12-14 03:56 AM
In response to SinisaZG

I tested in the lab on some versions, R81.10 and R81.20. The error occurred at our client with version R81.20 with Take 26. When multiple public IP addresses are used in combination with multiple Virtual Switches,
For some reason, Link Selection IP address remains stuck regardless of whether we change the IP address in Smart Console.

I did not research the issue in detail, but the only solution was to reinstall the Virtual System again.
The problem is not present in the latest version, Take 41.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events