Proxy ARP does not work with VLAN tagged circuits on Check Point VSX NGX R65

book

Article ID: 167848

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Proxy ARP does not work with VLAN tagged circuits on Check Point VSX NGX R65When Check Point VSX NGX R65 receives an ARP request on a tagged circuit, it does not consider the VLAN tag and sends the ARP reply untagged.

Network Diagram

User-added image

When you experience this problem, you see an incomplete ARP entry on neighbor device. There is no connectivity problem at interface level and correct proxy ARP configuration on VSX , e.g.:

1) ARP entry on neighbor router for a given NATed IP address is incomplete:

Cisco#show ip arp vlan 150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.150.243 0 Incomplete ARPA


2) ARP definition in the file local.arp is set correctly for the IP address and active:
vsx_1 (CBS): [vs0] conf$ fw ctl -vs 1 arp
(192.168.150.243) at 00-03-d2-e0-09-c9 interface 192.168.150.201

Cause

This issue has been identified as a Check Point problem. The firewall ignores VLAN interfaces when responding to ARP requests. 


Resolution

Check Point developed a hotifx for this issue. Contact Check Point support and request the hotfix fw1_HOTFIX_ECUADOR2_NO_UF_HF_BASE_141 or newer. You can also reference the SR 11-149793441.  

Workaround

To workaround this issue, you have 2 choices:
  • Use only untagged circuits with Check Point proxy ARP
or
  • set the option hide-vlan-header  in Crossbeam configuration for circuits that participate in proxy ARP.
You will have to set the flag  hide-vlan-header option manually for each individual circuit on which the ARP feature from Check Point needs to be used.

Attachments