SSH to gateway cluster hangs – Finally fixed!

Oh this is most bizarre.

All my CheckPoint life I noticed that when you ssh to the standby member it will hang for 30 seconds.  I actually figured out long ago that it was a DNS problem. Member B was sending reverse DNS queries and the DNS request was getting translated to the cluster IP address. When the response came back, the active member (NOT the standby mem ber )was dropping the response because the standby sent it out not the active.

I’ve been tooo lazy to fix every firewall with a NAT rule. But someone showed me this cool but bizarre trick.

  1. In your cluster configuration for clusterXL, select VRRP instead of clusterXL.
  2. Uncheck/Clear the Hide Cluster members outgoing ……..
  3. Set VRRP BACK!!! to clusterXL
  4. Push policy


DNS hide behind cluster IP


Waaaaalllaaaa! DNS and ssh now works.

Just sniff DNS traffic on both members to verify. NOTE: the tcpdump is wrong on the source IP going OUT but the replies make sense.

Cool huh??

Make sure this doesn’t screw with your OSPF/routed or other gateway initiated traffic because remember all gateway initiated traffic is now from the member IP and not the cluster IP.

NAT away!!!!!



Post a comment or leave a trackback: Trackback URL.


  • jontheniceguy  On October 24, 2013 at 5:26 pm

    You might also want to check out KB: sk31832

    • Dreezman  On October 24, 2013 at 6:12 pm

      Thanks! for the tip!

      I do try and avoid modifying files that don’t carry through an upgrade. But beggars can’t be choosers sometimes.


  • SebastianB  On October 24, 2013 at 6:10 pm


    also an alternative would be to just remove certain protocols from clusterhide as explained in sk31832.

    Might be usefull if you for some reason need to keep hiding most outgoing traffic behind cluster vip.


