HPE Community
Integrity Servers
1752801 Members
5553 Online
108789 Solutions
New Discussion юеВ

rx2660 flooding problem on MP LAN

 
Christoph Schmid
New Member

тАО10-31-2007 02:04 AM

тАО10-31-2007 02:04 AM

rx2660 flooding problem on MP LAN

I wanted to ask the community if someone may has had (or still has) the following symptoms:

when more then one rx2660 connected to a LAN-segment under control of CheckPoint Firewall, massive UDP flooding can be observed, leading to difficulties reaching other machines connected to the same segment. DHCP on the MP is Disabled. When disconnecting one rx2660 from the segment state is normal again.


MP-Version: F.01.58
Firewall Nodes: CheckPoint SecurePlatform NG withApplication Intelligence (R55) Build 091

Messages captured are zillions like tis here:
13:03:35.107388 IP (tos 0x0, ttl 189, id 0, offset 0, flags [none], proto: UDP (17), length: 65) 10.90.10.57.8116 > 167.66.66.0.8116: [bad udp cksum 6ceb!] UDP, length 37

Any followers??

//best,

C. Schmid
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

тАО10-31-2007 02:19 AM

тАО10-31-2007 02:19 AM

Re: rx2660 flooding problem on MP LAN

Shalom,

It is probably a hardware flaw.

First try updating the firmware of the MP. If this does not help call hardware, report the behavior and the MP card can be replaced.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

тАО10-31-2007 10:36 AM

тАО10-31-2007 10:36 AM

Re: rx2660 flooding problem on MP LAN

Port 8116 is used by firewall nodes for "state synchronization" (Check Point Clustering). I think you need to check the CheckPoint firewall nodes configuration.
0 Kudos
Reply
rick jones
Honored Contributor

тАО10-31-2007 12:29 PM

тАО10-31-2007 12:29 PM

Re: rx2660 flooding problem on MP LAN

Probably should add a -e (IIRC) to the tcpdump command line to show the MAC addresses. If it is one or the other of the MP's then you should see the MP's MAC as the src MAC in the frames.

It would be good to do that even if 10.90.10.57 happens to be an IP from one of the MPs. Serves as a sanity check in case say more than one MP/system has been configured with the same IP address.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
grahamswilson
Trusted Contributor

тАО10-31-2007 12:58 PM

тАО10-31-2007 12:58 PM

Re: rx2660 flooding problem on MP LAN

Hi Christoph,

I do have exactly the same issue, and am very interested in what the solution will be! I logged a call with HP when we first noticed the issue here (some months ago now), but they were (are still?) unaware of any issues - our rx2660's are certainly at the very latest firmware revs...

Currently, the network group have had to put acl's on the switches so the traffic is "blocked", but it is a pain.

I'm actually very glad to see someone else have the same problem (if you know what I mean) - perhaps you could officially log this with HP also so they know it is not just me!

Cheers,
Graham.
0 Kudos
Reply
Christoph Schmid
New Member

тАО10-31-2007 08:48 PM

тАО10-31-2007 08:48 PM

Re: rx2660 flooding problem on MP LAN

Hello,

Thank to all of you who ansered me. Some answers:

@Steven: I already opened a case at HP. Solution see answer to Graham. Firmware is latest and greatest.

@Sameer: we did that. But we need the synching, so we cannot stop it.

@Rick: This was the first thing that we checked (douple IP's/ double MAC-Addresses). We found no duplicates. We also have 30 rx2620 machines connected to the same network. They behave normal. If all 23 rx2660 machines are connected to an independent Network-Switch (which means the CheckPonit Package does not reach them) they behave also normal. But then I have to access them via a notebook in order to access the MP. See also workaround as proposed by HP in the anser to Graham.

@Graham: This ist really good news to me to hear that someone else also suffers from the same problems as I do.

The workaround from HP is as follows: put a small router between the 10.90.x.y network and the flood-causing machines, which isolates them from receiving the CeckPoint StateSynch package. Of course, the isolated machines must change their MP-IP too (we use 10.91.1.x).

We also received statements from HP that the MP-multicast issue will be solved in the upcoming Firmware-release (scheduled to be availabe November to January)

//best

Chris
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

тАО11-01-2007 07:24 AM

тАО11-01-2007 07:24 AM

Re: rx2660 flooding problem on MP LAN

Thanks for sharing the HP's workaround here and that's good to know. I have seen a thread in here of iLO 2 MP multi-cast issue with rx3600.
So it looks like the issues revolves around iLO 2 MP in here and maybe HP is aware of this and is working on them.

Specifically in this case and I don't know how far it will make any sense, iLO2 MP ASIC does have an inbuilt firewall and somehow closing the port 8116 at MP level could have avoid this issue?
0 Kudos
Reply
rick jones
Honored Contributor

тАО11-01-2007 09:01 AM

тАО11-01-2007 09:01 AM

Re: rx2660 flooding problem on MP LAN

Does CheckPoint do anything "clever" with multicast addresses like say responding to ARP requests for unicast IPs with a multicast MAC?
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Christoph Schmid
New Member

тАО01-09-2008 05:09 AM

тАО01-09-2008 05:09 AM

Re: rx2660 flooding problem on MP LAN

Here's the solution:

I installed the new firmware 3.01 as of Nov 26, 2007. All Problems have vanished.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.