CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: Question on VSX - !IP address mismatch

  1. #1
    Join Date
    2007-02-07
    Posts
    157
    Rep Power
    11

    Default Question on VSX - !IP address mismatch

    Hi,

    does someone have an idea why I'm geting all these !IP address mismatches on my SmartCenter for my VSX cluster for each an every Warp-connection? Is this because of unnumbered interfaces? And what is your recommendation for virtual routers compared to physical ones in general?

    Code:
    [Expert@SmartCenter:0]# vsx_util show_interfaces
    
    Type: Virtual Router
    
    Interfaces configuration table:
    
    +--------------------------------------------------------+-----+-------------------+
    |Interfaces                                              |Mgmt |VSX GW(s)          |
    +----------+---------------------------------------------+-----+---------+---------+
    |Name      |           IP / Mask length                  |     |  VSX1   |   VSX2  |
    +----------+---------------------------------------------+-----+---------+---------+
    |wrpj128   |v4 192.168.10.172/32                         |  V  |   !IP   |   !IP   |
    |wrpj192   |v4 192.168.10.172/32                         |  V  |   !IP   |   !IP   |
    |bond4     |v4 20.20.20.20/28                            |  V  |    V    |    V    |
    |bond3     |v4 192.168.10.172/28                         |  V  |    V    |    V    |
    +----------+---------------------------------------------+-----+---------+---------+
    Interfaces Table Legend:
    
      V   - Interface exists on the gateway and matches management information (if defined on the management).
      -   - Interface does not exist on the gateway.
     N/A  - Fetching Virtual Device configuration from the gateway failed.
     !IP  - Interface exists on the gateway, but there is an IP address mismatch.
    !MASK - Interface exists on the gateway, but there is a Net Mask mismatch.
    Thanks in advance!
    Last edited by danjun; 2017-01-12 at 10:03.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,241
    Rep Power
    15

    Default Re: Question on VSX - !IP address mismatch

    Well is your real interfaces that showing the mismatch, do you have unnumbered VTI proxying with these Interfaces that mismatching.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk79700&partition=General&product=VSX"

    Might want to read the above link as VTI isn't supported on VSX, so could be your issue

    In terms of Virtual Routers vs Real Routers, then the main thing is that the Virtual Routers mean that you have to run your VSX in HA mode and cannot split the Virtual Systems across the VSX Cluster Members.

    The one advantage that they have is that easy to deploy however you can use Cisco VRF to supply multiple routers to your VSX infrastructure and then still Load Share on the VSX.

  3. #3
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,005
    Rep Power
    13

    Default Re: Question on VSX - !IP address mismatch

    Quote Originally Posted by danjun View Post
    Hi,

    does someone have an idea why I'm geting all these !IP address mismatches on my SmartCenter for my VSX cluster for each an every Warp-connection? Is this because of unnumbered VTIs? And what is your recommendation for virtual routers compared to physical ones in general?

    Code:
    [Expert@SmartCenter:0]# vsx_util show_interfaces
    
    Type: Virtual Router
    
    Interfaces configuration table:
    
    +--------------------------------------------------------+-----+-------------------+
    |Interfaces                                              |Mgmt |VSX GW(s)          |
    +----------+---------------------------------------------+-----+---------+---------+
    |Name      |           IP / Mask length                  |     |  VSX1   |   VSX2  |
    +----------+---------------------------------------------+-----+---------+---------+
    |wrpj128   |v4 192.168.10.172/32                         |  V  |   !IP   |   !IP   |
    |wrpj192   |v4 192.168.10.172/32                         |  V  |   !IP   |   !IP   |
    |bond4     |v4 20.20.20.20/28                            |  V  |    V    |    V    |
    |bond3     |v4 192.168.10.172/28                         |  V  |    V    |    V    |
    +----------+---------------------------------------------+-----+---------+---------+
    Interfaces Table Legend:
    
      V   - Interface exists on the gateway and matches management information (if defined on the management).
      -   - Interface does not exist on the gateway.
     N/A  - Fetching Virtual Device configuration from the gateway failed.
     !IP  - Interface exists on the gateway, but there is an IP address mismatch.
    !MASK - Interface exists on the gateway, but there is a Net Mask mismatch.
    Thanks in advance!
    If you mean VPN VTIs, they are not supported.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  4. #4
    Join Date
    2007-02-07
    Posts
    157
    Rep Power
    11

    Default Re: Question on VSX - !IP address mismatch

    I was referring to unnumbered interfaces, not unnumbered virtual tunnel interfaces (VTI).

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,005
    Rep Power
    13

    Default Re: Question on VSX - !IP address mismatch

    There is something wrong with your warp interfaces. It seems two different ones have the same address:

    wrpj128 v4 192.168.10.172/32
    wrpj192 v4 192.168.10.172/32


    Did you assign this IP address manually? warp do not need IP addresses when connected to a virtual switch and may not need IP address when connecting to VR. Without more details it is hard to say why it is wrong exactly, but two different warp interfaces should not have the same IP address.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 2
    Last Post: 2013-03-11, 05:54
  2. Smart-1 LVM Partion ID Mismatch
    By CPNeo in forum Check Point Smart-1 Security Management Appliances
    Replies: 0
    Last Post: 2012-04-06, 05:18
  3. UTM-2076, MD5 Mismatch Of Backup
    By dbrown3611 in forum Check Point Backup Procedures
    Replies: 1
    Last Post: 2010-09-14, 09:49
  4. Cisco enc domain mismatch
    By paprichaat in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-11-26, 22:09
  5. Dynamic Ip address and SC question
    By mnoce@licenciasonline.com in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-11-02, 15:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •