Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor
Jump to solution

MDS with two interfaces

Hello Mates,

I have a problem to find a viable solution to this kind of problem. The customer is deploying MDS server with two CMA and CLM atd.

They have defined Leading interface eth0 with their private subnet. Everything is on eg. 10.0.0.0/24. They want to have external access for customers to MDS via a different interface with public IP 194.0.0.X, so we add new interface on MDS, but we are not able to connect. In SmartConsole we have this error Authentication to Server x.x.x.x failed, but we are 200% sure that login is correct, verified also on other created admin users with passwords like 12345. This might help but the file is empty - sk57860.

 

Someone could suggest changing leading interface but we dont want to do it as admin guide says:

If there is more than one interface on a Multi-Domain Server, you must configure at least one interface to be
the leading interface. Multi-Domain Servers (Primary and Secondary) and Multi-Domain Log Servers use
the leading interface to communicate with each other for database synchronization.

and this should be an eth0 private subnet.

 

I also found that we cant have two leading interfaces. Every new CMA should be created with private IP. But this says otherwise - sk108763. So we could add new interface to Leading - will it solve it?

 

There is also old threat but it does not help me:

https://community.checkpoint.com/t5/Management/How-to-connect-to-MDS-R80-10-through-alternate-interf...

Thx for the suggestions.

 

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Mentor
Mentor

The best is to use the same interface (subnet) for leading VIP and also for all CMAs. Hovewer, using different subnet for leading interface and different subnet for CMAs is possible. But you will face the issue that you can reach SmartConsole MDS only over the interface marked as leading.

Even if you are somehow able to access MDS over public IP, the CMAs are reachable from user's computer IP to the CMA IPs, NOT to the MDS IP.

This is the case where NAT can be used, to translate public IP to private IP once there is connection to CMA IPs over SmartConsole ports.

Another option would be to use some Windows jumpserver with installed SmartConsole. The jump will have 2 interfaces (public + private). Customers will reach the jump over internet but access from jump to MDS (also CMAs) will go over private subnet.

Kind regards,
Jozko Mrkvicka

View solution in original post

13 Replies
Dario_Perez
Employee Employee
Employee

this is routing issue since you have only eth0 defined you already have 0.0.0.0 route, then when you got a request from other interface the reply is going through eth0. 

create a route for that source. or create a NAT for MDS 

0 Kudos
Martin_Raska
Advisor
Advisor

It does not come to my mind, thanks we will check. I already propose NAT, but the customer is not flexible it this.

0 Kudos
Martin_Raska
Advisor
Advisor

This is not routing issue, I am connected there over the Internet with SSH via Public IP on the second interface. Default route is pointing to the Internet. I will continue with the Investigation.

0 Kudos
Dario_Perez
Employee Employee
Employee

how the MDS know your IP? create a pint or traceroute to make sure how the mds is replaying

0 Kudos
Martin_Raska
Advisor
Advisor

eth0 Link encap:Ethernet HWaddr 00:50:56:B6:6F:B2
inet addr:100.101.XX.XX Bcast:100.101.XX.XX Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:924 errors:0 dropped:0 overruns:0 frame:0
TX packets:804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:220278 (215.1 KiB) TX bytes:144195 (140.8 KiB)
Interrupt:19 Memory:fd3a0000-fd3c0000

eth0:1 Link encap:Ethernet HWaddr 00:50:56:B6:6F:B2
inet addr:100.101.XX.XX Bcast:100.101.XX.XX Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:19 Memory:fd3a0000-fd3c0000

eth0:2 Link encap:Ethernet HWaddr 00:50:56:B6:6F:B2
inet addr:100.101.XX.XX Bcast:100.101.XX.XX Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:19 Memory:fd3a0000-fd3c0000

eth1 Link encap:Ethernet HWaddr 00:50:56:B6:DD:F4
inet addr:195.144.XX.XX Bcast:195.144.XX.XX Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8897 errors:0 dropped:0 overruns:0 frame:0
TX packets:14848 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2971059 (2.8 MiB) TX bytes:2745407 (2.6 MiB)
Interrupt:17 Memory:fd1a0000-fd1c0000

 

[Expert@CHP-MGMT-SRV:0]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 195.144.XX.XX 0.0.0.0 UG 0 0 0 eth1
100.101.XX.XX 0.0.0.0 255.255.255.224 U 0 0 0 eth0
195.144.XX.XX 0.0.0.0 255.255.255.240 U 0 0 0 eth1

 

C:\Users\RAS>ping 195.144.xx.xx

Pinging 195.144.xx.xx with 32 bytes of data:
Reply from 195.144.xx.xx: bytes=32 time=2ms TTL=58
Reply from 195.144.xx.xx: bytes=32 time=2ms TTL=58

Ping statistics for 195.144.xx.xx:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
C:\Users\RAS>tracert -d 195.144.xx.xx

Tracing route to 195.144.xx.xx over a maximum of 30 hops

1 1 ms <1 ms <1 ms 10.212.181.1
2 2 ms 1 ms 1 ms 193.85.28.193
3 2 ms 2 ms 2 ms 62.168.52.57
4 2 ms 2 ms 2 ms 194.212.194.160
5 3 ms 2 ms 3 ms 194.212.194.161
6 1 ms 2 ms 1 ms 193.85.186.10
7 2 ms 1 ms 2 ms 195.144.xx.xx

0 Kudos
Martin_Raska
Advisor
Advisor

ok, to have some record to this issue, we reinstalled MDS server but the issue persists. So I created a LAB, fresh R81.10 MDS, two interfaces, I have VM directly connected to other interface and still Auth failed, login works only when connecting to leading interface eth0.

-JHF does not help

-I created cert user for login to SC, does not help

-I am using admin super-user or another account

-I am locally on the same subnet

-add leading interface eth1 does not help

 

 

Behaviour:

when you have wrong pwd it will not get you pick Domain(just auth failed), when I have the correct login I get step where I can choose Domain, whatever I choose, next is Auth failed.

I am going to TAC with this, but it will take long time ...

0 Kudos
JozkoMrkvicka
Mentor
Mentor

You need to use Main IP which is linked to the leading interface in order to establish connection to the MDS over SmartConsole.

What is your leading interface when you go to the "mdsconfig" and select option for "Leading interface(s)" ? My guess would be eth0 and not eth1. Using more than one leading interface is not supported.

How to change the leading interface is mentioned here:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Kind regards,
Jozko Mrkvicka
Martin_Raska
Advisor
Advisor

Jozko,

you are right, if we change the leading interface then new CMA server get VIP from subnet eth1 not the original eth0 right?

I guess there is no workaround how to configure it that internal clients use SC to IP eth0(private) and external users use SC to IP eth1(public).

The vision of this project is to use two different IP addresses for connectivity via SmartConsole.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

The best is to use the same interface (subnet) for leading VIP and also for all CMAs. Hovewer, using different subnet for leading interface and different subnet for CMAs is possible. But you will face the issue that you can reach SmartConsole MDS only over the interface marked as leading.

Even if you are somehow able to access MDS over public IP, the CMAs are reachable from user's computer IP to the CMA IPs, NOT to the MDS IP.

This is the case where NAT can be used, to translate public IP to private IP once there is connection to CMA IPs over SmartConsole ports.

Another option would be to use some Windows jumpserver with installed SmartConsole. The jump will have 2 interfaces (public + private). Customers will reach the jump over internet but access from jump to MDS (also CMAs) will go over private subnet.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Mentor
Mentor

One more option is to use VPN. In case MDS is protected by FW, then the customer can establish VPN to the FW (over public IP) and then should be able to reach MDS and all CMAs even with private subnet once the subnet of MDS will be included in VPN encryption domain of FW where MDS is connected to. Office mode or IP Pool NAT can be used to hide public IP and translate to private ranges over VPN.

Kind regards,
Jozko Mrkvicka
Martin_Raska
Advisor
Advisor

it could be written in admin guide as there not much about this topic.

"Using More than one Interface on a Multi-Domain Server
If there is more than one interface on a Multi-Domain Server, you must configure at least one interface to be the leading interface."

at least one = my understanding is one or more.

it is also not written anywhere that you should stick with one interface and subnet for MDS and CMAs to be able to connect with SmartConsole, instead SC will rape you with auth failed.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

yes, you are right.

That should be addressed to Check Point TAC or R&D for clarification.

Kind regards,
Jozko Mrkvicka
0 Kudos
JozkoMrkvicka
Mentor
Mentor

The management should be protected by the firewall. If this is the case, just play with NAT and routing.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events