This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ahmed_bousta
Contributor
‎2019-03-05 02:53 AM

VSX configuration output interface

output of interface vsx :

hello evry body 

can someone explain to me why i have difference IP in output between the two commande in the same FW For the same interface alos

in the same CHASSIS

when i use show configuration i see this output for the interface eth3-01.403 

set interface eth3-01.403 state on
set interface eth3-01.403 mtu 1500
set interface eth3-01.403 ipv4-address 192.168.196.66 mask-length 28

and when i use show interface eth3-01.403 i see the different IP .

 

show interface eth3-01.403
state on
mac-addr 00:4c:7f:85:c3:9c
type vlan
link-state not available
instance 35
mtu 1500
auto-negotiation Not configured
speed 10G (eth3-01)
ipv6-autoconfig Not configured
duplex full (eth3-01)
monitor-mode Not configured
link-speed Not configured
comments
ipv4-address 10.126.111.45/27
ipv6-address Not Configured

0 Kudos
10 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-03-05 04:10 AM

192.168.196.0 is your internal communications network, see from VSX admin guide:

Internal Communication Network
The internal communication network is a virtual network that is required for ClusterXL environments, in addition to the synchronization network. The internal communication network is invisible to external networks and lets cluster members communicate and recognize the state of the environment.
VSX assigns an IP address to the internal communication network during the cluster creation process. This eliminates the need to manually assign an IP address to each cluster member:
IPv4 address: 192.168.196.0, netmask: 255.255.252.0 (A range of four class C networks).
IPv6 address and netmask: FD9A::1FFE:0:0:0/80
You can modify the default IP address using the Gateway Cluster Properties > Cluster Members page of the VSX cluster object, but only before creating Virtual Systems. Once Virtual Systems have been created, the IP range of the internal communication network cannot be modified.
Note: To avoid overlapping IP addresses, before creating any virtual devices, make sure the default IP address range of the Internal Communication network is not used anywhere else in the external network

so you shouldn't worry too much about it unless your own internal real networks overlap with that range

0 Kudos
ahmed_bousta
Contributor
‎2019-03-05 08:29 AM
In response to Kaspars_Zibarts

thank you but i can't ping from the Ip that in configuered on smartdashbord 10.126.111.105

when i ping the interface 

ping 10.126.111.105
PING 10.126.111.105 (10.126.111.105) 56(84) bytes of data.
From 192.168.196.194 icmp_seq=2 Destination Host Unreachable
From 192.168.196.194 icmp_seq=3 Destination Host Unreachable
From 192.168.196.194 icmp_seq=4 Destination Host Unreachable
From 192.168.196.194 icmp_seq=6 Destination Host Unreachable

and on the smartview traker i see the  192.168.196.194  as source . 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-05 01:58 PM
In response to ahmed_bousta

Is the machine you do the ping on the master for this VS, are you in the correct VS while doing this ping?

To find out which VSLS member each VS is active on you can run the following commands in expert:

vsenv 0

vsx stat -v

cphaprob stat

The vsx stat command will show you the names and VS number of each VS, cphaprob will show you the active / standby / backup state of each VS for each member in a cluster.

Regards, Maarten
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-03-06 12:50 AM
In response to Maarten_Sjouw

Additionally source may be NATed to the real IP, we had a discussion before but didn't get to conclusion why does it sometimes use internal comms as a source and sometimes NATs it, here's an example from two different VSes with different results in the log

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-06 12:58 AM
In response to Kaspars_Zibarts

In this case the actual IP was shown in his ping response as that is the interface IP that reports the Host Unreachable:

From 192.168.196.194 icmp_seq=6 Destination Host Unreachable

What is even more confusing is that the range the interface is in does not comply with the network of the pinged host:

ipv4-address 10.126.111.45/27 and 10.126.111.105 

So if they are not in the same network why does it try to access the host directly, this can only be when the host is on another interface than the interface mentioned, which also complies with the different IP that we see in the first post .66 and .196 in the ping post.

Regards, Maarten
ahmed_bousta
Contributor
‎2019-03-06 01:21 AM
In response to Maarten_Sjouw

i'm in the correct VS . and i try to ping from both active/standby. but i can't ping the self interface from the vs 

from outside i can ping the IP 10.126.111.105 . 

but when i ping from vs i can't ping other equipements from  the VS.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-03-06 01:41 AM
In response to ahmed_bousta

You will need to supply full details Ahmed so we can see all IPs, errors etc

0 Kudos
ahmed_bousta
Contributor
‎2019-03-06 02:39 AM

a take an exempl for the one vlan i have the same issue for all valn 

as you can see on smartdashbord i can see this ip for this interface .

show interface eth3-01.405
state on
mac-addr 00:5c:7c:95:d5:2d
type vlan
link-state not available
instance 33
mtu 1500
auto-negotiation Not configured
speed 10G (eth3-01)
ipv6-autoconfig Not configured
duplex full (eth3-01)
monitor-mode Not configured
link-speed Not configured
comments
ipv4-address 10.126.111.12/27
ipv6-address Not Configured
ipv6-local-link-address Not Configured

______________

and for show configuration command i see

set interface eth3-01.405 mtu 1500
set interface eth3-01.405 ipv4-address 192.168.196.98 mask-length 28


--------
in my netwok i don't want this ip to be reacheable

ping 192.168.196.98
PING 192.168.196.98 (192.168.196.98) 56(84) bytes of data.
64 bytes from 192.168.196.98: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 192.168.196.98: icmp_seq=2 ttl=64 time=0.010 ms
64 bytes from 192.168.196.98: icmp_seq=3 ttl=64 time=0.011 ms
64 bytes from 192.168.196.98: icmp_seq=4 ttl=64 time=0.011 ms


:33> ping 10.126.111.12
PING 10.126.111.12 (10.126.111.12) 56(84) bytes of data.
From 192.168.196.98 icmp_seq=2 Destination Host Unreachable
From 192.168.196.98 icmp_seq=3 Destination Host Unreachable


show route

-------------
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive


C 10.126.111.0/27 is directly connected, eth3-01.405

-------------

i can ping the reel ip fro outside

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-06 02:51 AM
In response to ahmed_bousta

This is normal behavior, it is a virtual IP and cannot be pinged from the machine itself.

Regards, Maarten
0 Kudos
ahmed_bousta
Contributor
‎2019-03-06 02:56 AM
In response to Maarten_Sjouw

thank you very much i do same check for an other VS working fine and i see the same result we can't ping a virtual ip from the VS

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events