CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 7 of 7

Thread: Upgraded from 75.40VS to 77.30 - ARP Issues

  1. #1
    Join Date
    2017-09-10
    Posts
    8
    Rep Power
    0

    Default Upgraded from 75.40VS to 77.30 - ARP Issues

    Hello

    I have upgraded our VSX cluster form R75.40VS to R77.30 recently and all the policies have manually added static NAT's. We are facing a problem where the traffic going to one of our vendor, the MAC addresses is not being advertised by the firewall. I can see the outbound traffic leaving my network but no return traffic coming back. when I use the arp -a command to see the arp table, it shows incomplete for the destination IP that I am looking for.

    Thanks in advance for your help

    Ravindra

  2. #2
    Join Date
    2014-09-02
    Posts
    313
    Rep Power
    10

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    This is a pretty well-documented concept (see sk30197, and the information you've provided is a bit limited.

    A few basic questions/ideas:
    • Was your previous setup SPLAT or Gaia?
    • Did you have/verify local.arp file?
    • Have you defined Proxy ARP's in Gaia?


    Give us some more details, and let us know what you've tried so far.

    -E

  3. #3
    Join Date
    2017-09-10
    Posts
    8
    Rep Power
    0

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Hello

    Was your previous setup SPLAT or Gaia? --> Gaia
    Did you have/verify local.arp file? --> There local.arp file ($FWDIR/conf)
    Have you defined Proxy ARP's in Gaia? --> No

    So if need to make a change on the local.arp file, doesn't it require a reboot every time I make a change?
    Also, do I have to configure one local.arp file for the VSX device or one local.arp file for VS?

    Ravi

  4. #4
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,106
    Rep Power
    11

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Best is to move the Proxy arp's to the VS's clish area or even better use Automatic NAT if you can.
    Make sure you have, in the global settings, merge local arp turned on.
    Any time you make a change push the policy, as that is the moment the changes are made effective.

    Check with 'fw ctl arp' to see if the proxy arps are shown.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    86
    Rep Power
    11

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Quote Originally Posted by ravindra692 View Post
    Hello

    Was your previous setup SPLAT or Gaia? --> Gaia
    Did you have/verify local.arp file? --> There local.arp file ($FWDIR/conf)
    Have you defined Proxy ARP's in Gaia? --> No

    So if need to make a change on the local.arp file, doesn't it require a reboot every time I make a change?
    Also, do I have to configure one local.arp file for the VSX device or one local.arp file for VS?

    Ravi
    Previously, local.arp required a reboot or cpstop/cpstart to be recognized when you created it, but subsequent updates to the file would only take a policy push.

    GAiA overwrites a lot of files (I definitely remember /etc/passwd) when you save config. I wouldn't be surprised if local.arp were one of them. I would try to add the proxy ARP entries in the clish config if possible. If you want to try configuring the local.arp by hand, it is done per-VS. It lives in $FWDIR/CTX/CTX<zero-padded VSID>/conf/. The <zero-padded VSID> is a five-digit number with leading zeros. VSID 12 becomes CTX00012.

    Again, you should add proxy ARP entries in clish if possible. If you write to the local.arp directly, be sure to keep backup copies in case the system overwrites it.
    Zimmie

  6. #6
    Join Date
    2017-09-10
    Posts
    8
    Rep Power
    0

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Hello

    Thanks Guys.
    I can make it work, if it doesn't require a reboot every time I have to make a change.
    I will create the local.arp file in clish for each VS, and I can will check the entries using "fw ctl arp"

    Thanks Again
    Ravindra

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    86
    Rep Power
    11

    Default Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Quote Originally Posted by ravindra692 View Post
    Hello

    Thanks Guys.
    I can make it work, if it doesn't require a reboot every time I have to make a change.
    I will create the local.arp file in clish for each VS, and I can will check the entries using "fw ctl arp"

    Thanks Again
    Ravindra
    Please be sure to test this in a lab before relying on it in production. The three major things I would test are these:

    • Provisioning a new VS
    • Adding a new automatic NAT
    • Adding a new proxy ARP entry via clish


    I could see any of those wiping out configuration you have manually placed in local.arp.
    Zimmie

Similar Threads

  1. r75.40VS and httpd IPMI issues
    By evanc in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2015-11-24, 03:23
  2. Expert user is changed fater upgraded to R75.40VS GAIA
    By archie100 in forum R75.40 (GAiA)
    Replies: 2
    Last Post: 2013-02-27, 14:47
  3. R75.40 versus R75.40VS
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 0
    Last Post: 2012-08-20, 10:51
  4. just upgraded to r70.40
    By rotherdrummer in forum Installing And Upgrading
    Replies: 4
    Last Post: 2010-09-17, 12:10
  5. Has anyone upgraded to R65 yet?
    By buulam in forum Installing And Upgrading
    Replies: 1
    Last Post: 2007-05-11, 11:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •