Guys,
We've recently upgraded to CheckPoint UTM 5070 appliances running R70
throughout our organization.
CoreXL is enabled on the appliances running OSPF on Area0. Sample
configuration is as follows:
-------FW A--------- 172.20.0.10
| |
WAN Link B | OSPF | WAN Link A
Cost 100 | Area 0 | Cost 10
| |
-------Router A------172.20.0.59
What we've noticed is that if WAN link A goes down either by a physical
interface disconnect or an ifdown on that interface of the FW, traffic fails
over properly to the Secondary WAN link as expected. However, when WAN link
A comes back up no ARP replies for the ip address on that interface are
being sent by the firewall. eg:
01:08:08.851678 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:09.852893 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:11.393224 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:12.394189 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:13.394403 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:14.876472 arp who-has 172.20.0.10 tell 172.20.0.59
01:08:15.876687 arp who-has 172.20.0.10 tell 172.20.0.59
Notice no ARP replies are being sent from 172.20.0.10 (ip on FW interface
WAN link A).
This results in ARP incompletes for the ip 172.20.0.10 and hence no ip
connectivity.
We have also tested this with R70.20 with the same results.
We're working with TAC to get this sorted out but i'd just like to know if
anyone has ever come across this problem before?
Can someone shed some light on this please.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
