In 2014 I wrote an article about setting proxy arp on VSX bond interface.
IMPORTANT: The information below is not 100% accurate. Please jump to the new post for more details
The problem occurred the first time during a sophisticated VSX setup with one of my customers. Although CP official documentation insisted doing it from Gaia clish, it was failing, and manual local.arp file was required.
The problem occurred the first time during a sophisticated VSX setup with one of my customers. Although CP official documentation insisted doing it from Gaia clish, it was failing, and manual local.arp file was required.
Since then, Check Point corrected its recommendation, and in sk30197 local.arp is mentioned as the appropriate configuration.
Guess what? With R77.30 Jumbo HFA package 210 and above this is now broken.
The last week my other VSX customer reported to me that installing Jumbo 216 caused four hour outage on their business critical system, and the reason was failing proxy ARP settings. They have used local.arp files, but after installing 216 Jumbo HFA package those files were purged. They also needed to use Gaia clish to configure it, again.
After some research, we are now convinced that this is the result of fixing bonding issue mentioned in sk111675. The fix is included in Jumbo packages version 201 and up.
The ugly part of the issue is that it was not expected and apparently not tested on a system with pre-existing local.arp.
The documentation is not fixed yet, and I did not manage to find any new SK for the matter just yet.
-----------
Support this blogs with your donations to https://www.paypal.me/cpvideonuggets
Thank you for the heads up..will take note on this as one of our customers is on VSX 77.30 as well with local.arp file configured.
ReplyDeleteAny time. Please let me know how it went for you and your customer
DeleteValeri,
ReplyDeleteDid your customer reported the issue to our Technical Support? Can you contact me via email?
Yes they did. They have Diamond contract I believe Check Point has my email address, so nothing stops you to contact me offline.
DeleteThanks for sharing Valery... You've saved my day I'm just planning a jumbo HFA install on VSX... local.arp added to my check list
ReplyDeletehappy to help
DeleteMeanwhile, the relevant note was added to the SKs articles that provide Jumbo Hotfix Accumulator.
ReplyDeleteFor example, refer to sk106162 (R77.30 Jumbo Hotfix) - section "Installation instructions" - subsection "Important Notes:"
Before installing this Jumbo Hotfix Accumulator, back up any configuration file that was edited manually.
List of the most important files (many others exist):
$FWDIR/boot/modules/fwkern.conf
$FWDIR/boot/modules/vpnkern.conf
$PPKDIR/boot/modules/simkern.conf
$PPKDIR/boot/modules/sim_aff.conf
$FWDIR/conf/fwaffinity.conf
$FWDIR/conf/local.arp
$FWDIR/conf/discntd.if
$FWDIR/conf/cphaprob.conf
$FWDIR/conf/cpha_bond_ls_config.conf
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/resctrl
$FWDIR/conf/vsaffinity_exception.conf
$FWDIR/database/qos_policy.C
/var/ace/sdconf.rec
/var/ace/sdopts.rec
/etc/snmp/snmpd.conf
/etc/snmp/userDefinedSettings.conf
/etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf
/etc/snmp/snmpmonitor.conf
It is a bit more complex, I am afraid. Even if you put back in place local.arp, it will be overwritten at the next reboot.
DeleteThey really "fixed" it, Sergei
Correction. The issue was not accurately reported. Please see the link to a new post with more details
Deletehttp://checkpoint-master-architect.blogspot.ch/2017/05/vsx-and-localarp-correction-and-follow.html
A fix is compiled and will be integrated in the next jumbo take
ReplyDelete