CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Asymmentric Routing when accessing gateway cluster members?

  1. #1
    Join Date
    2006-05-23
    Posts
    29
    Rep Power
    0

    Default Asymmentric Routing when accessing gateway cluster members?

    Having an issue where ssh/web attempts to members of a gateway cluster result in dropped packets with the error of: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
    tcp_flags: ACK

    CP specifically calls this out and details how to fix it both temporarily and permanently though suggests not to do it here: https://supportcenter.checkpoint.com...tionid=sk36161

    It does not go into much detail as to why this is happening on my gateways or what I may have misconfigured where such that I can address the real issue rather than using this proposed solution.

    Can anyone point me to what I might have configured incorrectly that is causing this? I have verified that the fix in the CP SK does in fact fix it but I would prefer to get to the root of the issue if I can.

    Thanks

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,226
    Rep Power
    13

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    Quote Originally Posted by infrared013 View Post
    Having an issue where ssh/web attempts to members of a gateway cluster result in dropped packets with the error of: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
    tcp_flags: ACK

    CP specifically calls this out and details how to fix it both temporarily and permanently though suggests not to do it here: https://supportcenter.checkpoint.com...tionid=sk36161

    It does not go into much detail as to why this is happening on my gateways or what I may have misconfigured where such that I can address the real issue rather than using this proposed solution.

    Can anyone point me to what I might have configured incorrectly that is causing this? I have verified that the fix in the CP SK does in fact fix it but I would prefer to get to the root of the issue if I can.

    Thanks
    When making SSH/HTTPS connections to the cluster members, make sure you are using the dedicated/fixed IP address on the firewall interface "facing" (or closest to) where the SSH/HTTPS is being initiated from. Using another firewall interface address will cause the traffic to be handled asymmetrically by the cluster and incur the "out of state" messages you are seeing.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2006-05-23
    Posts
    29
    Rep Power
    0

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    Quote Originally Posted by ShadowPeak.com View Post
    When making SSH/HTTPS connections to the cluster members, make sure you are using the dedicated/fixed IP address on the firewall interface "facing" (or closest to) where the SSH/HTTPS is being initiated from. Using another firewall interface address will cause the traffic to be handled asymmetrically by the cluster and incur the "out of state" messages you are seeing.
    Thank you for this feedback. I am in fact doing just that and im doing so on an interface that has worked and been working for some time now with no issues and none of these asymmetric routing issues

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,226
    Rep Power
    13

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    Quote Originally Posted by infrared013 View Post
    Thank you for this feedback. I am in fact doing just that and im doing so on an interface that has worked and been working for some time now with no issues and none of these asymmetric routing issues
    OK so is the cluster healthy? Is is reporting active/standby when running cphaprob stat? How about cphaprob -a if, is the sync interface detected and working?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    If cluster is healthy please explain firewall topology, where client is connected, show route table of firewalls and show the interface listed in the drop message.

  6. #6
    Join Date
    2006-05-23
    Posts
    29
    Rep Power
    0

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    Quote Originally Posted by jflemingeds View Post
    If cluster is healthy please explain firewall topology, where client is connected, show route table of firewalls and show the interface listed in the drop message.
    thanks - yeah i believe my cluster is healthy however for some reason I am getting a lot of dropped packets in the logs attributed to antispoofing to the vrrp multicast address...the "A" fw is to be master for 11 interfaces and the backup "B" backup for 11 interfaces. My question is in that scenario should my cphaprob state show active/backup or is active/active correct as it is shown there?




    vf-exn-ccs-fw-b> cphaprob state

    Cluster Mode: Sync only (OPSEC) with IGMP Membership

    Number Unique Address Firewall State (*)

    1 10.1.1.1 Active
    2 (local) 10.1.1.2 Active

    (*) FW-1 monitors only the sync operation and the security policy
    Use OPSEC's monitoring tool to get the cluster status
    vf-exn-ccs-fw-b> cphaprob -a if

    eth1 non sync(non secured)
    eth6 non sync(non secured)
    eth2 non sync(non secured)
    eth7 sync(secured), multicast
    eth1-01 non sync(non secured)
    eth3 non sync(non secured)
    eth1-02 non sync(non secured)
    eth1-03 non sync(non secured)
    eth1-04 non sync(non secured)
    eth4 non sync(non secured)
    eth5 non sync(non secured)

    Virtual cluster interfaces: 11


    vf-exn-ccs-fw-b> show route
    Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
    O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
    A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
    U - Unreachable, i - Inactive

    S 0.0.0.0/0 via 140.162.41.49, eth5.400, cost 0, age 17733
    C 10.1.1.0/24 is directly connected, eth7
    S 10.8.3.0/26 via 166.17.20.254, eth5, cost 0, age 17733
    NTP
    S 10.10.16.0/24 via 166.17.20.254, eth5, cost 0, age 17733
    S 10.10.35.0/26 via 166.17.20.254, eth5, cost 0, age 17733
    Domain Controllers
    S 10.10.135.0/24 via 166.17.20.254, eth5, cost 0, age 17733
    S 10.10.141.0/28 via 166.17.20.254, eth5, cost 0, age 17733
    S 10.10.254.0/24 via 166.17.20.254, eth5, cost 0, age 17733
    S 10.110.254.0/24 via 166.17.20.254, eth5, cost 0, age 17733
    C 127.0.0.0/8 is directly connected, lo
    C 140.162.40.64/26 is directly connected, eth6
    DNS/Blackhole B2B range
    C 140.162.40.128/27 is directly connected, eth4
    CEF B2B IFZ
    C 140.162.40.160/27 is directly connected, eth1-03
    C 140.162.40.0/26 is directly connected, eth3
    C 140.162.41.48/29 is directly connected, eth5.400
    C 140.162.41.0/28 is directly connected, eth1-01
    C 166.17.20.112/29 is directly connected, eth2
    SAN Replication
    C 166.17.20.128/26 is directly connected, eth1
    C 166.17.20.224/27 is directly connected, eth5
    C 166.17.20.0/27 is directly connected, eth1-02
    S 166.17.24.128/25 via 166.17.20.254, eth5, cost 0, age 17745
    S 166.17.24.0/28 via 166.17.20.254, eth5, cost 0, age 17745
    C 166.17.224.160/27 is directly connected, eth1-04
    S 172.16.20.0/24 via 166.17.20.254, eth5, cost 0, age 17745
    S 172.16.30.0/24 via 166.17.20.254, eth5, cost 0, age 17745
    S 172.16.36.0/24 via 166.17.20.254, eth5, cost 0, age 17745
    S 172.16.45.0/24 via 166.17.20.254, eth5, cost 0, age 17745
    S 172.16.50.0/24 via 166.17.20.254, eth5, cost 0, age 17745

    im coming from an external network located on the outside and we access them on their 166.17.20.251/252/253 interfaces for direct access to the boxes

  7. #7
    Join Date
    2006-05-23
    Posts
    29
    Rep Power
    0

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    having some issues uploading a screenshot of the vrrp monitor summary but i have 11 as master and 11 as backup just as id expect to have

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: Asymmentric Routing when accessing gateway cluster members?

    Quote Originally Posted by jflemingeds View Post
    If cluster is healthy please explain firewall topology, where client is connected, show route table of firewalls and show the interface listed in the drop message.
    Sure thing! Iíll get that as soon as a i get a chance.

Similar Threads

  1. Problem accessing members' IP's
    By Blast in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2014-05-07, 16:55
  2. Cluster members not seeing each other...
    By cpusername in forum R75.40 (GAiA)
    Replies: 4
    Last Post: 2014-03-29, 18:49
  3. Replies: 0
    Last Post: 2012-05-18, 10:45
  4. HA Cluster problem - cluster members can't be active at same time
    By jdickson in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2008-04-30, 11:17
  5. Can't SCP between FW cluster members
    By crucial in forum SCP (Secure Copy For Linux/SecurePlatform/IPSO)
    Replies: 3
    Last Post: 2006-09-01, 14:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •