SSH to gateway cluster hangs – Finally fixed!

Oh this is most bizarre.

All my CheckPoint life I noticed that when you ssh to the standby member it will hang for 30 seconds.  I actually figured out long ago that it was a DNS problem. Member B was sending reverse DNS queries and the DNS request was getting translated to the cluster IP address. When the response came back, the active member (NOT the standby mem ber )was dropping the response because the standby sent it out not the active.

I’ve been tooo lazy to fix every firewall with a NAT rule. But someone showed me this cool but bizarre trick.

  1. In your cluster configuration for clusterXL, select VRRP instead of clusterXL.
  2. Uncheck/Clear the Hide Cluster members outgoing ……..
  3. Set VRRP BACK!!! to clusterXL
  4. Push policy

 

DNS hide behind cluster IP

 

Waaaaalllaaaa! DNS and ssh now works.

Just sniff DNS traffic on both members to verify. NOTE: the tcpdump is wrong on the source IP going OUT but the replies make sense.

Cool huh??

Make sure this doesn’t screw with your OSPF/routed or other gateway initiated traffic because remember all gateway initiated traffic is now from the member IP and not the cluster IP.

NAT away!!!!!

dreez

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • jontheniceguy  On October 24, 2013 at 5:26 pm

    You might also want to check out KB: sk31832

    • Dreezman  On October 24, 2013 at 6:12 pm

      Thanks! for the tip!

      I do try and avoid modifying files that don’t carry through an upgrade. But beggars can’t be choosers sometimes.

      dreez

  • SebastianB  On October 24, 2013 at 6:10 pm

    Hi,

    also an alternative would be to just remove certain protocols from clusterhide as explained in sk31832.

    Might be usefull if you for some reason need to keep hiding most outgoing traffic behind cluster vip.

    Regards
    Sebastian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: