CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 14 of 14

Thread: Not responding to arp-who-has

  1. #1
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Not responding to arp-who-has

    Recently upgraded a single member firewall to R80.10. We have about 10 static NATs automatic in objects. Outbound traffic on those NATs seems to work fine (as well as all Hide NAT traffic). However, when I tcp dump on the external for inbound traffic to those static NAT IPs, I just see arp-who-has and my own outbound traffic. I went ahead and added the IPs to the proxy arp config, but this had no effect. Merge proxy arp is enabled in global properties. Any other ideas?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by jcstefansson View Post
    Recently upgraded a single member firewall to R80.10. We have about 10 static NATs automatic in objects. Outbound traffic on those NATs seems to work fine (as well as all Hide NAT traffic). However, when I tcp dump on the external for inbound traffic to those static NAT IPs, I just see arp-who-has and my own outbound traffic. I went ahead and added the IPs to the proxy arp config, but this had no effect. Merge proxy arp is enabled in global properties. Any other ideas?
    Turn off clustering from cpconfig. You accidentally enabled it.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,455
    Rep Power
    8

    Default Re: Not responding to arp-who-has

    How could outbound nat traffic work if arp isnít being responded to?

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by jflemingeds View Post
    How could outbound nat traffic work if arp isn’t being responded to?
    Because the outbound connections are all almost certainly being hidden behind the firewall's NIC address. It will always respond for that one.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  5. #5
    Join Date
    2014-09-02
    Posts
    313
    Rep Power
    10

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by ShadowPeak.com View Post
    Because the outbound connections are all almost certainly being hidden behind the firewall's NIC address. It will always respond for that one.
    But if the Static NAT rules come before the Hide NAT (which they will if they're all Automatic), then even the outbound connections will be source-NATed as coming from their public address. If ARP isn't working, then replies wouldn't be able to find their way back.

    OP (jcstefansson), check logs and see how the "working" outbound connections are actually going out. What NAT is being used? Is the Hide NAT automatic or manual? How is your Proxy ARP set up? I've seen quite a few issues (many very recently) with ARP in R80.10, but mostly cluster-related (like "friendly" interface names for clustered interfaces replacing actual names in topology, completely breaking automatic ARP).

    -E

  6. #6
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by EricAnderson View Post
    But if the Static NAT rules come before the Hide NAT (which they will if they're all Automatic), then even the outbound connections will be source-NATed as coming from their public address. If ARP isn't working, then replies wouldn't be able to find their way back.

    OP (jcstefansson), check logs and see how the "working" outbound connections are actually going out. What NAT is being used? Is the Hide NAT automatic or manual? How is your Proxy ARP set up? I've seen quite a few issues (many very recently) with ARP in R80.10, but mostly cluster-related (like "friendly" interface names for clustered interfaces replacing actual names in topology, completely breaking automatic ARP).

    -E
    We rolled back to an R77.30 snapshot because of pressure from above, but here's info from last night:

    Static automatic NATs are what's being used in the config. We tried creating a manual NAT rule and creating a proxy arp config, but no effect, as mentioned in OP. Prior to that, there was no proxy arp config (I can confirm in R77.30 with it working properly this is still the case).

    I am thinking ShadowPeak is probably correct, I do think clusterXL was enabled, but I didn't think anything of it at the time. We're planning on cutting over again tonight, and I'll double check this. If we have no issues, I think we can conclude that was the cause.

    Quote Originally Posted by jflemingeds View Post
    How could outbound nat traffic work if arp isn’t being responded to?
    I should clarify that when I say outbound traffic was working, I meant that I saw static NAT'd IPs going outbound towards the router, I do not think replies to these packets were coming back. Anything that operated on a Hide NAT worked normally.
    Last edited by jcstefansson; 1 Week Ago at 16:08.

  7. #7
    Join Date
    2014-09-02
    Posts
    313
    Rep Power
    10

    Default Re: Not responding to arp-who-has

    If the Automatic Hide NAT is fine, and you're seeing the outbound Static's being NATed properly, but not getting replies, then yes, this seems to be an ARP issue, and yes, ClusterXL is a very likely culprit.

    When ClusterXL is enabled, both Automatic and Proxy ARP only "broadcast" on the active member. If ClusterXL is enabled on the device, but not in policy, then it's very likely that those ARP's aren't working.

    Good luck tonight, and let us know.

    -E

  8. #8
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,106
    Rep Power
    11

    Default Re: Not responding to arp-who-has

    In the global settings check the NAT page for ARP settings, do not forget that Cisco routers have a 4 hour ARP cache and you need to use arping to make sure to overwrite that cache or reset the routers arp cache.
    Especially when you have a cluster and start using a different cluster method (ClusterXL instead of VRRP or the other way around), however that is not your case, but when cluster is on there is a chance a Virtual MAC is used.

    When using static Proxy arp make sure to always push a policy after adding these commands and check with 'fw ctl arp' to see what the gateway thinks the proxy arps should be.

    For sending gratuitous arp's for IP's not on any interface:
    goto expert mode and execute below commands, in the second replace the IP and interface to reflect your situation:
    echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
    arping -c 4 -A -I eth0 177.177.177.177
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,455
    Rep Power
    8

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by jcstefansson View Post
    We rolled back to an R77.30 snapshot because of pressure from above, but here's info from last night:

    Static automatic NATs are what's being used in the config. We tried creating a manual NAT rule and creating a proxy arp config, but no effect, as mentioned in OP. Prior to that, there was no proxy arp config (I can confirm in R77.30 with it working properly this is still the case).

    I am thinking ShadowPeak is probably correct, I do think clusterXL was enabled, but I didn't think anything of it at the time. We're planning on cutting over again tonight, and I'll double check this. If we have no issues, I think we can conclude that was the cause.



    I should clarify that when I say outbound traffic was working, I meant that I saw static NAT'd IPs going outbound towards the router, I do not think replies to these packets were coming back. Anything that operated on a Hide NAT worked normally.
    Aaah. That makes sense. One last option if clustering doesn't fix it. On your proxy arp config are using the interface name or forcing a MAC address in the proxy arp? I just hit an issue a few days ago where using the interface name didn't work but using a static mac did. This was 77.x though.
    Last edited by jflemingeds; 1 Week Ago at 22:55. Reason: baby mac

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,455
    Rep Power
    8

    Default Re: Not responding to arp-who-has

    and if none of that works you can always check for dropped packet with fw ctl zdebug drop.

  11. #11
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: Not responding to arp-who-has

    Confirmation: We did the upgrade again last night with clusterXL not enabled, and encountered no issues.

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by jcstefansson View Post
    Confirmation: We did the upgrade again last night with clusterXL not enabled, and encountered no issues.
    Great, thanks for the update!
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  13. #13
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,455
    Rep Power
    8

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by ShadowPeak.com View Post
    Great, thanks for the update!
    Nice going, i'll buy you one of those famous $18 buds lights at vegas for your abilities assuming your going to cpx.

  14. #14
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: Not responding to arp-who-has

    Quote Originally Posted by jflemingeds View Post
    Nice going, i'll buy you one of those famous $18 buds lights at vegas for your abilities assuming your going to cpx.
    I plan to attend CPX Vegas, whether it will be as more than just an attendee remains to be seen. :-)
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Similar Threads

  1. ClusterXL is not responding
    By jiehong in forum SmartView Monitor
    Replies: 3
    Last Post: 2011-01-07, 10:24
  2. Gateway not Responding
    By amonte1 in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2010-10-07, 15:18
  3. WebUI and SSH not responding (R65)
    By TeamChronos in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2009-07-08, 06:37
  4. Device not responding
    By hatcher in forum Check Point UTM-1 Appliances
    Replies: 5
    Last Post: 2008-10-10, 19:45
  5. gateway is not responding
    By slimonline in forum SecureClient/SecuRemote
    Replies: 5
    Last Post: 2008-08-11, 14:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •