This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MariuszT
Explorer
‎2021-07-21 12:17 AM

SMS upgrade from R80.20 to R80.40 create issues with SmartLSM GWs.

Hi,

Last weekend we've upgraded SMS from R80.20 to R80.40 with blink image upgrade.

After that we have issues with SmartLSM gateways. Every few hours we need to manually fetch policy from ROBO GWs(1450 R77.20.85) because DNS traffic is lost on the tunnel.

Example:

tcpdump on ROBO:

07:52:33.306248 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.53366: 6105* 1/0/0 A 10.112.198.40 (47)
07:52:45.898220 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 84: 10.63.30.244.49942 > 10.13.124.4.53: 61826+ A? mail.partner.xxx.xxx(42)
07:53:29.086509 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.52433 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.107068 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.52433: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:21.699884 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 74: 10.63.30.244.59945 > 10.13.124.4.53: 60861+ A? portal.xxx.xxx. (32)
07:54:24.507508 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 73: 10.63.30.251.57164 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.527347 00:1c:7f:7b:04:0a > 00:60:e0:6f:6b:52, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.63.30.251.57164: 46535* 1/0/0 A 10.112.198.40 (47)

we can see queries for 'mail.partner.xxx.xxx' and 'portal.xxx.xxx'

on the central GW those queries are missing:
07:52:33.291531 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.26351 > 10.13.124.4.53: 6105+ A? cpnbb.xxx.xxx. (31)
07:52:33.292107 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.26351: 6105* 1/0/0 A 10.112.198.40 (47)
07:53:29.092007 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.21365 > 10.13.124.4.53: 1982+ A? cpnbb.xxx.xxx. (31)
07:53:29.092875 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.21365: 1982* 1/0/0 A 10.112.198.40 (47)
07:54:24.512593 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 73: 10.13.96.186.32668 > 10.13.124.4.53: 46535+ A? cpnbb.xxx.xxx. (31)
07:54:24.513090 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 89: 10.13.124.4.53 > 10.13.96.186.32668: 46535* 1/0/0 A 10.112.198.40 (47)

After 'fw fetch' on ROBO GW, DNS queries are going normally:
ROBO GW:
07:59:03.905407 38:90:a5:a0:f2:65 > 00:1c:7f:7b:04:0a, ethertype IPv4 (0x0800), length 88: 10.63.30.244.60248 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.926065 00:1c:7f:7b:04:0a > 00:50:56:b6:75:7e, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.63.30.244.60248: 18586* 1/0/1 A 10.218.190.169 (62)

Central GW:
07:59:03.910580 00:1c:7f:6a:b2:53 > 88:1d:fc:6c:9b:c0, ethertype IPv4 (0x0800), length 88: 10.13.96.186.24953 > 10.13.124.4.53: 18586+ [1au] A? atxxx.xxx.xxx. (46)
07:59:03.911431 88:1d:fc:6c:9b:c0 > 00:1c:7f:6a:b2:53, ethertype IPv4 (0x0800), length 104: 10.13.124.4.53 > 10.13.96.186.24953: 18586* 1/0/1 A 10.218.190.169 (62)

I've opened SR for that, but maybe you've got some info about known issues with SmartLSM and R80.40 and SMB 1450?

Greetings,

Mariusz

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-07-23 12:35 AM

Is there a reason you're running R77.20.75 and not R77.20.87, which is much more recent?

0 Kudos
MariuszT
Explorer
‎2021-07-23 01:06 AM
In response to PhoneBoy

my mistake, we're running R77.20.87:

show software-version
This is Check Point's 1450 Appliance R77.20.87 - Build 072

 

But we had to rollback SMS to R80.20. 

The issue was that after few hours ROBO GW's stopped NAT for local networks. We think that somehow they're loosing Dynamic Object configuraction. After fetching policy traffic goes normal for some time 😕

We have SR opened because next year R80.20 is going EOS and upgrade is necessary.

We also tried R81.10 suggested by CP engineer, but it was only worse. We could not install policy on ROBO GWs at all. Tried SIC reset but with no luck. 

Greetings,

Mariusz

0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-23 06:28 PM
In response to MariuszT

That seems like a possibility.
You can check the current state of dynamic objects using the dynamic_objects CLI command on the gateway to confirm that. 
Still, sounds like something TAC needs to look at more closely.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events