MAC address changes on default gateway -> sessions not updated

Report Inappropriate Content · ‎04-17-2009

we have the following configuration at a customer: the default gateway of the fortigate is a checkpoint cluster. when a failover occurs on the checkpoint cluster, the fortigate seems to receive the change. I can see that the ARP table has been updated and the IP address of the default gateway points to the new MAC address of the other checkpoint cluster member. new sessions are working properly. but existing sessions don' t work anymore. it seems they are routed to the MAC address of the failed cluster member. I have to kill the session on the fortigate or waiting for the session timeout to occur. is this behaviour by design? shouldn' t the Fortigate update all the sessions which point to the wrong MAC address?

UkWizard · ‎04-17-2009

This behaviour would be very odd, as the MAC is at the hardware level. Are you sure its not the checkpoint dropping the sessions during the failover? In the past when i worked on checkpoints, they used to use a virtual MAC address anyway, so this couldn' t happen. Does sound to me like the checkpoint is the more likely cuplrit. Else its a very bizarre fault.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎04-17-2009

I don' t think its Checkpoint. because TCP sessions (like SSH and HTTP) are working fine. but not ICMP. the customer is now trying with UDP (TFTP). it' s reproducable: a Ping -t won' t work after a Checkpoint failover anymore, but it starts to work again just after a manual session kill on the Fortigate. the Checkpoint doesn' t seem to use a virtual MAC but a virtual IP. at a cluster failover I can see a MAC change on the gateway IP: normal 10.19.219.4 0 00:0e:0c:80:c0:e4 port6 (virtual IP?) 10.19.219.5 0 00:04:23:ce:01:00 port6 (member1) 10.19.219.6 0 00:0e:0c:80:c0:e4 port6 (member2) Failover 10.19.219.4 0 00:04:23:ce:01:00 port6 10.19.219.5 0 00:04:23:ce:01:00 port6 10.19.219.6 0 00:0e:0c:80:c0:e4 port6

UkWizard · ‎04-17-2009

I still think you will find this is a checkpoint issue. firewall failover normally have limitations like this. If TCP is working fine, then surely cust isnt going to notice anyway. You could do a packet sniff on the internal interface of the fortinet, this will prove whether its even seeing the traffic coming in.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎04-17-2009

I' ll try sniffing next week... (" diag sniffer packet" if I remember ?)

red_adair · ‎04-21-2009

" normally" a Cluster should send out a GARP when switchover occurs. I also recall that CHKPT _can_ use some strange Multicast based HA (Unicast IP with Multicast Mac) (although in your example they look unicast :) When sniffing - keep an eye on ARPs, if you see a GARP being sent out. Otherwise it' s " normal" that the FGT will not relearn the Address until the MAc Table times out. You can verify this by manually clear ARP cache on FGT after CHKPT Failover happens. -R.

MAC address changes on default gateway -> sessions not updated

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website