CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 12 of 12

Thread: A/P ClusterXL ARPs using member address instead of cluster

  1. #1
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    9

    Default A/P ClusterXL ARPs using member address instead of cluster

    Hi all,

    We have a two-member active/passive ClusterXL setup in VRRP mode (Gaia R77).

    We were wondering why replacing a legacy stand-alone router with the Checkpoint as router/firewall wasn't working when we found out that the individual cluster members are sending the ARP requests. Since the remote side seems to be setup for a point-to-point transit network my guess is the reply packets don't reach us because the new individual cluster member address just doesn't make it into the IP range setup on the remote router.

    Now why wouldn't the Checkpoint cluster use its cluster/VRRP address to perform the ARP requests?

    I know there is an option for hiding the members behind the cluster address but 1) I read it wouldn't do anything on ClusterXL anyhow 2) I am not very confident just enabling this without knowing anything about the repercussions, which I was unable to find anything about.

    Thanks,
    Marki

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    11

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Which clustering protocol are you using?

    VRRP or ClusterXL

    This is how ClusterXL works out of the box. You can change this to use a virtual mac if you want. ClusterXL uses a process call gratuitous arp to clean up arp tables on failover.

    VRRP should use a virtual mac by default.

    I think there is an issue with VRRP and proxy arp. If you look around support center i think you'll find it.

  3. #3
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    9

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Well, it's ClusterXP but also VRRP (see attach).

    Click image for larger version. 

Name:	Clipboard04.jpg 
Views:	197 
Size:	23.4 KB 
ID:	1146

    TBH I don't get what you mean with Proxy ARP. I don't think there is any need for Proxy ARP here. I was just wondering why the (local) ARPs were not using the actual cluster address.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Individual Members will send out ARP REQUESTS. Are you talking about ARP Requests or Replies.

    VRRP HA systems will respond with the VRRP MAC address when replying to an ARP Request.

    From your description then I think I have understood so let me clarify what I have understood this as

    1.) Gaia VRRP pair deployed
    2.) Transit Network between Upstream Router and Firewall with Services offered on separate Public IP address
    3.) Services on Public IP not working

    Automatic NAT only works when the IP address matches an IP range on an Interface at which point then the Gateway/Cluster uses that as the information regarding the Automatic ARP. If the IP is not part of the range then you either

    Recommended - Get the Upstream Router to route the Public IP Range to the External Cluster IP of the Check Point Cluster - recommended as gets rid of Proxy ARP issues.

    Not Recommended - Configure Manual Proxy ARP using the VRRP MAC address as the Address to respond with.

  5. #5
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    9

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    The question is: Why are the ARP REQUESTS sent using the individual cluster MEMBER IP?

    Let me illustrate what I think is happening.

    Network A: 192.168.1.254/29
    Network B: 192.168.1.253/30 (probably)

    Network A router being replaced by Checkpoint firewall: we need 3 adresses instead of one, so we use:
    192.168.1.254 : cluster/VRRP address
    192.168.1.251 : cluster member 1
    192.168.1.252 : cluster member 2

    192.168.1.251 ARPS for 192.168.1.253 but does not get a reply, probably because the netmask on Network B is wrong.

    However the question remains: Why does the cluster member (251) ARP for the remote gateway instead of the cluter address (254)?

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    11

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    The question is: Why are the ARP REQUESTS sent using the individual cluster MEMBER IP?
    I'm not sure why you care? arp's only job is to create a mac to IP mapping which is then cached on the host who asked for the mapping.
    Let me illustrate what I think is happening.

    Network A: 192.168.1.254/29
    Network B: 192.168.1.253/30 (probably)
    ok, thats not good.

    Network A router being replaced by Checkpoint firewall: we need 3 adresses instead of one, so we use:
    192.168.1.254 : cluster/VRRP address
    192.168.1.251 : cluster member 1
    192.168.1.252 : cluster member 2
    why are you mixing ClusterXL and VRRP?

    192.168.1.251 ARPS for 192.168.1.253 but does not get a reply, probably because the netmask on Network B is wrong.
    Seems correct if the mask on .253 is wrong like you listed.

    However the question remains: Why does the cluster member (251) ARP for the remote gateway instead of the cluter address (254)?
    oooh.. i think i just figured out why you want the VIP to be used. because .254 is on the same subnet of a /30. If the firewall only used the VIP for resolving addresses via arp packets then only the active firewall would be able to communicate on the local lan and the standby would fall off the network.

    why don't you just put static arps in the firewall for the broken host or just fix the netmask issue?

  7. #7
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    ARP isn't part of the VRRP or Check Point ClusterXL.

    ARP isn't synchronised etc, so is perfectly understandable that would be from the individual member rather then the VRRP HA address.

    Whilst is a pair then certain functions such as NTP etc are nothing to do with the Cluster and are also sent individually rather then as from the Cluster.

    ARP isn't part of the HA system so is done individually

  8. #8
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    9

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    why are you mixing ClusterXL and VRRP?
    Because we had problems with VRRP before, and they suggested we at least go from IPSO VRRP to ClusterXL while leaving VRRP, in order not to replace old problems with new ones :)

    why don't you just put static arps in the firewall for the broken host ...
    Yeah, that would be a way to do it.

    ... or just fix the netmask issue?
    Well, the remote router does not belong to us :)

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    11

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    I can understand running VRRP on IPSO. Its rock solid. I wouldn't do the same on Gaia. I can't think of any good reason to choose both. I would ditch VRRP and just do clusterxl across the board. I understand about not wanting to introduce new issues, but you basically already have by bringing dual clustering protocols.

    oh.. btw.. there maybe a 3rd option. In pure clusterxl mode you can use a single IP for VIP and the firewall nodes use IPs on a different segment. The example is only having a single routeable IP address.

    I can't remember where its documented. I'll post when I find it if someone else doesn't post it before hand.

    That being said.. static arp is a lot easier.

  10. #10
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    9

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Quote Originally Posted by jflemingeds View Post
    I would ditch VRRP and just do clusterxl across the board.
    Well, linking it with a Cisco device on the other end will probably give you this: https://supportcenter.checkpoint.com...tionid=sk44898

    --> That's what I meant with other problems, hehe. You'd need to put static entries in the Cisco device for it to work at all...

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    11

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Quote Originally Posted by jeronimo View Post
    Well, linking it with a Cisco device on the other end will probably give you this: https://supportcenter.checkpoint.com...tionid=sk44898

    --> That's what I meant with other problems, hehe. You'd need to put static entries in the Cisco device for it to work at all...
    That SK isn't super clear, but its the fix for using ClusterXL in Load balancing - multicast mode, which doesn't apply to your issue.

    Cisco doesn't like arp where the mac is multicast but the IP is unicast so your stuck doing static arps.

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    11

    Default Re: A/P ClusterXL ARPs using member address instead of cluster

    Here is the 3rd option.

    Basically you would need the fw node's real addresses on a different subnet (not a super net). This means they will not be accessible at all by the rest of the network. Then the VIP would be on your /30.

    sk32073 - this explains how to set it up.

    sk92799 - also see this - might be an issue.

    ARPs on the /30 should come from the cluster address now but will only been generated by the active firewall. The standby will never be accessible.

    just throwing it out there. Again... static arps seems the way to go.

Similar Threads

  1. ClusterXL with only primary member
    By copycon in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2013-04-09, 08:58
  2. ClusterXL Duplicate Member ID's
    By David_ in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 11
    Last Post: 2011-09-30, 20:36
  3. Smartview reports ClusterXL Member Untrusted
    By AndyHart in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2010-06-29, 03:01
  4. ClusterXL in HA with private interfaces on each member
    By luckydevil in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2009-05-29, 09:00
  5. ClusterXL/HA R65 SSH to passive member
    By lodown in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 8
    Last Post: 2008-04-30, 09:47

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •