Monday, May 8, 2017

Urgent! Your VSX proxy ARP settings might be broken with latest R77.30 Jumbo HFA

In 2014 I wrote an article about setting proxy arp on VSX bond interface

IMPORTANT: The information below is not 100% accurate. Please jump to the new post for more details


The problem occurred the first time during a sophisticated VSX setup with one of my customers. Although CP official documentation insisted doing it from Gaia clish, it was failing, and manual local.arp file was required.

Since then, Check Point corrected its recommendation, and in sk30197 local.arp is mentioned as the appropriate configuration.

Guess what? With R77.30 Jumbo HFA package 210 and above this is now broken

The last week my other VSX customer reported to me that installing Jumbo 216 caused four hour outage on their business critical system, and the reason was failing proxy ARP settings. They have used local.arp files, but after installing 216 Jumbo HFA package those files were purged.  They also needed to use Gaia clish to configure it, again. 

After some research, we are now convinced that this is the result of fixing bonding issue mentioned in sk111675. The fix is included in Jumbo packages version 201 and up. 

The ugly part of the issue is that it was not expected and apparently not tested on a system with pre-existing local.arp.

If you happen to have local.arp files in place and plan to install the latest R77.30 Jumbo HFA, take hypercare.

The documentation is not fixed yet, and I did not manage to find any new SK for the matter just yet. 

-----------
Support this blogs with your donations to https://www.paypal.me/cpvideonuggets

10 comments:

  1. Thank you for the heads up..will take note on this as one of our customers is on VSX 77.30 as well with local.arp file configured.

    ReplyDelete
    Replies
    1. Any time. Please let me know how it went for you and your customer

      Delete
  2. Valeri,

    Did your customer reported the issue to our Technical Support? Can you contact me via email?

    ReplyDelete
    Replies
    1. Yes they did. They have Diamond contract I believe Check Point has my email address, so nothing stops you to contact me offline.

      Delete
  3. Thanks for sharing Valery... You've saved my day I'm just planning a jumbo HFA install on VSX... local.arp added to my check list

    ReplyDelete
  4. Meanwhile, the relevant note was added to the SKs articles that provide Jumbo Hotfix Accumulator.

    For example, refer to sk106162 (R77.30 Jumbo Hotfix) - section "Installation instructions" - subsection "Important Notes:"

    Before installing this Jumbo Hotfix Accumulator, back up any configuration file that was edited manually.
    List of the most important files (many others exist):
    $FWDIR/boot/modules/fwkern.conf
    $FWDIR/boot/modules/vpnkern.conf
    $PPKDIR/boot/modules/simkern.conf
    $PPKDIR/boot/modules/sim_aff.conf
    $FWDIR/conf/fwaffinity.conf
    $FWDIR/conf/local.arp
    $FWDIR/conf/discntd.if
    $FWDIR/conf/cphaprob.conf
    $FWDIR/conf/cpha_bond_ls_config.conf
    $FWDIR/conf/fwauthd.conf
    $FWDIR/conf/resctrl
    $FWDIR/conf/vsaffinity_exception.conf
    $FWDIR/database/qos_policy.C
    /var/ace/sdconf.rec
    /var/ace/sdopts.rec
    /etc/snmp/snmpd.conf
    /etc/snmp/userDefinedSettings.conf
    /etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf
    /etc/snmp/snmpmonitor.conf

    ReplyDelete
    Replies
    1. It is a bit more complex, I am afraid. Even if you put back in place local.arp, it will be overwritten at the next reboot.

      They really "fixed" it, Sergei

      Delete
    2. Correction. The issue was not accurately reported. Please see the link to a new post with more details

      http://checkpoint-master-architect.blogspot.ch/2017/05/vsx-and-localarp-correction-and-follow.html

      Delete
  5. A fix is compiled and will be integrated in the next jumbo take

    ReplyDelete