SSH to gateway cluster hangs – Finally fixed!

Oh this is most bizarre.

All my CheckPoint life I noticed that when you ssh to the standby member it will hang for 30 seconds.  I actually figured out long ago that it was a DNS problem. Member B was sending reverse DNS queries and the DNS request was getting translated to the cluster IP address. When the response came back, the active member (NOT the standby mem ber )was dropping the response because the standby sent it out not the active.

I’ve been tooo lazy to fix every firewall with a NAT rule. But someone showed me this cool but bizarre trick.

  1. In your cluster configuration for clusterXL, select VRRP instead of clusterXL.
  2. Uncheck/Clear the Hide Cluster members outgoing ……..
  3. Set VRRP BACK!!! to clusterXL
  4. Push policy


DNS hide behind cluster IP


Waaaaalllaaaa! DNS and ssh now works.

Just sniff DNS traffic on both members to verify. NOTE: the tcpdump is wrong on the source IP going OUT but the replies make sense.

Cool huh??

Make sure this doesn’t screw with your OSPF/routed or other gateway initiated traffic because remember all gateway initiated traffic is now from the member IP and not the cluster IP.

NAT away!!!!!



Post a comment or leave a trackback: Trackback URL.


  • jontheniceguy  On October 24, 2013 at 5:26 pm

    You might also want to check out KB: sk31832

    • Dreezman  On October 24, 2013 at 6:12 pm

      Thanks! for the tip!

      I do try and avoid modifying files that don’t carry through an upgrade. But beggars can’t be choosers sometimes.


  • SebastianB  On October 24, 2013 at 6:10 pm


    also an alternative would be to just remove certain protocols from clusterhide as explained in sk31832.

    Might be usefull if you for some reason need to keep hiding most outgoing traffic behind cluster vip.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.

%d bloggers like this: