This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Petr_Hantak
Advisor
Advisor
‎2018-12-04 04:55 AM

Why CCP packets in VSX are send to network address of internal network subnet?

I'm trying to figure out a strange case when we are able to catch traffic towards VSX internal subnet in different part of network.

 

I have a VSX VSLS cluster. Multiple virtual systems are connected to the same virtual switch, which is connected to normal network terminated by router. Router has default route out and here we can see the bottleneck. I can see traffic following traffic 0.0.0.0 -> 192.168.196.96 (UDP) 8116 going out of my network via that router.

I started to search why. According ClusterXL Advanced Technical Reference Guide is the source IP 0.0.0.0 fine for CCP traffic because it does not care about it. However, I am confused from the destination. I use Internal VSX cluster network 192.168.196.0/22 which is default setup. If I check the interface configurations in CLISH  I can see that was divided to /28 networks for the interfaces and some internal IPs were assigned there (multiple times for same interfaces, but it is correct according sk110345 - Identical IP addresses from VSX "Internal Communication Network" are assigned to interfac...).

So I expected to see communication of CCP on broadcast or particular addresses but I see it towards 192.168.196.96 – which is /28 subnet IP and not assigned to particular interface. There are send FWHA_MY_STATE messages there for example. Funny thing is that this traffic blocking stealth rule in the policy.

I found the same results on multiple all my VSX clusters on R77.30 and on one running on R77.10. Therefore, it seems to be regular thing. All clusters are fully synchronized and fine.

Do you know why is it communicate this way? I was not able to find it anywhere. You can see FW monitor result from one of clusters in attachment.

P.S. – I’ll ask support of course as well.

sync.pcap.zip
9 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events