CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: GAIA R65.46 64 bits with VRRP and multicast not working

  1. #1
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default GAIA R65.46 64 bits with VRRP and multicast not working

    I have a pair of GAIA running Active/Standby ClusterXL with a cisco router in front of the firewall and another cisco router behind the firewall. There is a Windows media server 2008R2 connect to the router in front of the firewall. I have a Windows 7 machine connect to the router behind the firewall. I am running PIM sparse mode with static-group and everything is working fine. From the Windows 7 machine, I can play the video streaming by the Windows 2008R2 just fine without any issues. I can see the firewalls PIM join with both the upstream and downstream Cisco routers.

    I also have other traffics such as ftp, ssh, telnet, email, rdp, etc... and everything is working as expected with the exception of ftp but I have a TAC case opened with checkpoint on this.

    Today, I decided to change from ClusterXL to VRRP because I think VRRP is much better than ClusterXL. So I went ahead and change VRRP simplified mode, make the change in the security, push rule to the firewall... everything is working as expected WITH THE EXCEPTION OF MULTICAST. the firewall refuses to join neighbor with the cisco routers. I have the rule wide opened on the firewall.

    As stated before, if I switch from VRRP back to ClusterXL, multicast will start working again. The minute I change from ClusterXL to VRRP, multicast stops working. Therefore, I doubt that it is my configuration. Everything else unicast traffics work without issues.

    Has anyone been able to get Checkpoint firewall GAIA in VRRP mode to work with Cisco routers in multicast mode?

    Thanks in advance.

  2. #2
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R75.46 64 bits with VRRP and multicast not working

    Just want to give everyone an update on this issue. After going through 3 different TAC engineers who are pretty clueless with multicast and VRRP, I finally told them that the case needs to be escalated to a more senior level engineer who does know how multicast "actually" work. The support that I've receiving from Checkpoint so far is about the same support that I am getting from my 11 years old son. The TAC guy asked me about "do you have SecureXL turn ON"? How the hell does that have anything to do with multicast which is UDP based is beyond me?

  3. #3
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    basically checkpoint cannot do active active for udp in cluster environment. UDP is always handled by only one of the boxes. its the way udp is being stateless.
    you can disable securexl, mine has never given me any benefits for acceleration.

    they suggest the same remedy for ipso clustering as well.

    Some of them doesn't make sense and may not always resolve the issue.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    basically checkpoint cannot do active active for udp in cluster environment. UDP is always handled by only one of the boxes. its the way udp is being stateless. you can disable securexl, mine has never given me any benefits for acceleration.
    What you said is "generally" true; however, according to checkpoint, if one wants to reach the throughput performance indicated in the spec sheet by Checkpoint, SecureXL must be ON.

  5. #5
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    just check if SecureXL is working and is not being disabled by any rules.

    fwaccel stat and stats see how many are F2F and how many accelerated.

    we had no benefits as such.

    post disabling we have not had cluster breakdowns and multicast drops for months now touch wood.
    SecureXL is OFF without any luck. In other words, multicast is still not working with VRRP. Multicast with ClusterXL works regardless SecureXL ON or OFF.

  6. #6
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    do you use any static multicast route towards the cisco router for the source multicast group?
    any anti-spoofing enabled on participating multicast interfaces?
    what does fw monitor | grep <multicast-group-ip> output say....any drops observed?

  7. #7
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    do you use any static multicast route towards the cisco router for the source multicast group?
    any anti-spoofing enabled on participating multicast interfaces?
    what does fw monitor | grep <multicast-group-ip> output say....any drops observed?
    - anti-spoofing is disabled on the firewall.
    - yes, I have static multicast route towards the cisco router
    - fw monitor shows nothing on the multicast group that plays the video.

    As stated before, it works perfectly with ClusterXL so the configuration on both Checkpoint and Cisco routers are correct. When switching to VRRP, it stops working.

  8. #8
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    seems like there is some behavioural change on the firewall when you switch to multicast

    after the change to vrrp, do you see PIM and IGMP joins on source multicast?

    can you briefly describe the topology here, software release, ip appliance, splat or gaia?

    if i understand it correctly, multicast source---router--->switch-->Firewalls(A/S)--->LANswitch---Receiver.

    sorry for asking all this, just trying to understand your setup here.

    when you switch to VRRP, just try taking wireshark of the switch port where the receiver is connected and also the active firewall port facing the router.
    any observations of interesting multicast traffic being received or joins happenning.


    need to dig deep here, escalate to a T3 engineer at TAC.
    I remember those days when being a ccie sec, had to get myself CCSE certified just to get through a T3 guy over support...
    PITA:)
    Last edited by Spawn; 2013-04-11 at 00:38.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    seems like there is some behavioural change on the firewall when you switch to multicast
    Definitely look that way. Let me clarify something. I do NOT switch from clusterXL to VRRP or VRRP back to ClusterXL. Both ClusterXL and VRRP were
    rebuilt from scratch using "set snapshot revert clusterXL" or "set snapshot revert VRRP" to make sure that the gateways are clean. Only the management server is modified to fit either ClusterXL or VRRP

    Quote Originally Posted by Spawn View Post
    after the change to vrrp, do you see PIM and IGMP joins on source multicast?
    No PIM or IGMP join on multicast source in VRRP mode

    Quote Originally Posted by Spawn View Post
    can you briefly describe the topology here, software release, ip appliance, splat or gaia?
    if i understand it correctly, multicast source---router--->switch-->Firewalls(A/S)--->LANswitch---Receiver.
    sorry for asking all this, just trying to understand your setup here.
    Topology: multicast source(Win2008R2) ----Catalyst 3750 L3 switch --- Firewall(A/S) --- Catalyst L2 switch--- Cisco 2851 router ---Receiver (Windows 2003 and Windows 7)

    Firewall is R75.46 Gaia 64 bits running on Dell PowerEdge 2850

    Quote Originally Posted by Spawn View Post
    when you switch to VRRP, just try taking wireshark of the switch port where the receiver is connected and also the active firewall port facing the router.
    any observations of interesting multicast traffic being received or joins happenning.
    I did it one step better. I track it down on the router and L3 switch I see nothing.

    As mentioned before, if I switch to ClusterXL everything works fine. Furthermore, if I replace the Firewalls with a Cisco 2621 router, it still works so my configuration is CORRECT.


    Quote Originally Posted by Spawn View Post
    need to dig deep here, escalate to a T3 engineer at TAC.
    I remember those days when being a ccie sec, had to get myself CCSE certified just to get through a T3 guy over support...
    PITA:)
    The case is currently with a T2 engineer in Otawa. The engineer told me that there is a "bug" when you setup multicast using clish. You've to setup multicast using the webUI but he produces no documentation to back it up and he himself does not know how to set it up using the webUI either. Basically, I am fighting an uphill battle here.

  10. #10
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    i believe that L3 switch is in L2 mode, firewall is the gateway to multicast source server
    lets make L3 switch the gateway and route your traffic through firewall.
    just trying to see how the firewall behaves if L3 switch becomes a PIM neighbor here.

  11. #11
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    i believe that L3 switch is in L2 mode, firewall is the gateway to multicast source server
    lets make L3 switch the gateway and route your traffic through firewall.
    just trying to see how the firewall behaves if L3 switch becomes a PIM neighbor here.
    L3 is NOT in L2 mode. L3 is the default gateway for the router for both ClusterXL and VRRP...

  12. #12
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    great...so do you see a pim neighbourship when you use the physical ip for the active firewall.
    change the next hops to physical ip instead of the VRRP ip.
    Last edited by Spawn; 2013-04-12 at 02:05.

  13. #13
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Quote Originally Posted by Spawn View Post
    great...so do you see a pim neighbourship when you use the physical ip for the active firewall.
    change the next hops to physical ip instead of the VRRP ip.
    correction: L3 swtich is the default gateway for the firewall. The L3 switch also has HSRP in it. I have static route on the firewall pointing to the L3 switch physical IP because the L3 switch is the PIM RP.

    As mentioned before, everything is working fine with ClusterXL but NOT with VRRP so my configuration is definitely correct.

    Just an update on this. Just for grinch, I decided to remove the following lines using clish from the firewall and then put them back immediately:

    Primary:
    set pim interface eth0 local-address 10.33.250.2 (where 10.33.250.2 is the physical ip address of the active firewall external facing)
    set pim interface eth1 local-address 10.33.250.130 (where 10.33.250.130 is the physical ip address of the active internal facing)
    set pim interface eth0 local-address 10.33.250.1 (where 10.33.250.1 is the VIP ip address of the active firewall external facing)
    set pim interface eth1 local-address 10.33.250.129 (where 10.33.250.129 is the VIP ip address of the active firewall internal facing)

    Secondary:
    set pim interface eth0 local-address 10.33.250.3 (where 10.33.250.1 is the physical ip address of the standby firewall external facing)
    set pim interface eth1 local-address 10.33.250.131 (where 10.33.250.131 is the physical ip address of the standby internal facing)
    set pim interface eth0 local-address 10.33.250.1 (where 10.33.250.1 is the VIP ip address of the external facing)
    set pim interface eth1 local-address 10.33.250.129 (where 10.33.250.129 is the VIP ip address of the internal facing)


    Guess what, after that, everything PIM comes back and everything working. Failing VRRP back and forth and multicast still working.

    However, as soon as I reboot both firewalls. When both Firewalls come back online, multicast stops working again.

  14. #14
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    7

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    yup seems so the reason, local address is for interface assigned with the ip.

    use following for VRRP IP's and check.

    set pim interface eth1 virtual-address

    set pim interface eth0 virtual-address



    Virtual address: This option specifies that PIM use the
    VRRP virtual IP addess on this interface. If enabled, PIM
    will start running on this interface only after the router
    transitions to master state with respect to VRRP on this
    interface.

    Note: Verify that HA mode is not enabled, when using this
    option. This is because enabling HA mode will result in PIM
    ignoring the VRRP state on one or more interfaces. Please see
    Help for HA mode for more details.

    Options: On/Off.
    Default: Off.
    Last edited by Spawn; 2013-04-13 at 06:32.

  15. #15
    Join Date
    2006-10-23
    Posts
    221
    Rep Power
    13

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working

    Not had much exposure to Gaia as yet but could this be related?

    Cause
    The Cluster Control Protocol (CCP) packets that are sent between the members of the same cluster reach the neighbor cluster (connected to the same network) and "confuse" it


    sk25977

  16. #16
    Join Date
    2006-09-26
    Posts
    3,191
    Rep Power
    16

    Default Re: GAIA R65.46 64 bits with VRRP and multicast not working - SOLVED

    Many thanks to Spawn for pointing me to the direction. My multicast issue with VRRP is resolved by turning off the option "set ha-mode off". In the Gaia advanced routing admin guide, it states:


    set mode <on | off>
    Specifies whether to enable or disable the High Availability (HA) mode. Enable the High-Availability (HA) mode when two routers are configured to back each other up to forward multicast traffic and sparse-mode PIM is implemented. When this option is enabled, all PIM-enabled interfaces are available only if each interface is up and has a valid address assigned. If any PIM-enabled interface goes down or all its valid addresses are deleted, then all PIM-enabled interfaces become unavailable and remain in that state until all interfaces are back up.
    The HA mode feature applies only to sparse-mode PIM. The HA mode feature does not affect the functioning of dense-mode PIM.

    Note - Beginning with Gaia 3.8, you can configure PIM to advertise the virtual VRRP IP address on a interface with PIM enabled. You do not need to enable HA mode if you configure the interface to advertise the virtual VRRP IP address. Default value: off

    According to the documentation, it says that I do not have to enable HA mode but it does not say that turning on this option will make multicast not working after firewall reboot.

    Thank you again Spawn

    Now I am turning attention to multicast and ClusterXL. I have an issue with it but it will be another post.

Similar Threads

  1. snapshot and revert in GAIA R75.46
    By cciesec2006 in forum Miscellaneous
    Replies: 0
    Last Post: 2013-03-29, 21:25
  2. R75.46 GAIA and Active Directory join domain error
    By cciesec2006 in forum Miscellaneous
    Replies: 0
    Last Post: 2013-03-13, 21:15
  3. can not turn GAIA from 32 to 64 bits OS
    By cciesec2006 in forum Installing And Upgrading
    Replies: 7
    Last Post: 2013-03-05, 12:17
  4. OSX Lion 64 bits with SSL Network Extender
    By philuxe in forum Mobile Access Blade (Formerly Connectra)
    Replies: 3
    Last Post: 2012-05-18, 15:48
  5. [Checkpoint R71.30] VPN 64 Bits
    By dimarc in forum SecureClient/SecuRemote
    Replies: 15
    Last Post: 2011-04-19, 06:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •