Interconnecting Virtual Systems Using External Switches

book

Article ID: 167878

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes a workaround and a solution for connectivity problems that can occur when connecting Check Point VSX Virtual Systems using external non-VLAN circuits.Intermittent connectivity problems occur when connecting Virtual Systems using external non-VLAN circuits.

Cause

Problem: When connecting Virtual Systems using an external circuit and NPM ports, the same flow is classified twice:
  • One classification occus when the flow enters the NPM destined to VS1
  • The other occurs when the flow enters the NPM destined for VS2.
Because the flow characteristics are identical (IP-SA, IP-DA, destination-port, source-port, and domain-id), the NPM cannot distiguish the flows.  See also the Technical Bulletin "Serializing VAP Groups Using an External Circuit".
 
When the packet leaves VS1 and re-enters the NPM destined for VS2, the existing flow information will be overwritten by new flow information. Return traffic will need to be re-classified when received by the NPM destined for VS1. As a result, the return flow may be sent to a different VAP, not the VAP originating the flow. This will often result in a flow being sent to two firewalls, asynchronously, which will cause traffic to be dropped.

Note: See the attachment for diagrams that illustrate the examples.

Resolution

To connect Virtual Systems Using an External Circuit

When connecting virtual systems using an external circuit and NPM ports, a different domain-id must be configured on each virtual system circuit.

For example, a domain-id with a value of 21 is assigned to circuit1 and a domain-id with a value of 22 is assigned to circuit2.

Note: See the attachment for diagrams that illustrate the examples.

Doing so will create separate flow information entries for flows leaving and entering the circuits ext1 and ext2. Existing flow entries for the circuit1 and circuit2 will not be overwritten.
Unfortunately, it is not possible to modify the domain-id for an existing circuit. The circuit has to be deleted and recreated. When you create the circuit again, you specify a domain-id:

CBS# configure circuit circuit1 domain 21

Note: In order to delete a circuit, all references to this circuit need to be removed first (ip routes, dns server, logical interfaces, VRRP virtual routers, and so on).

Note: When using Check Point VSX-NGX, a Virtual Switch can be used to interconnect virtual systems. See the attachment for a diagram.
 
In general, Crossbeam recommends assigning different domain-ids for each circuit used by VSX.

Note (1): When VLAN circuits are created using SmartDashboard, a different domain-id is automatically configured for each circuit.  (If support for overlapping IP's function is enabled).

Note (2): Non-VLAN circuits need to be created manually in the Crossbeam CLI. When no domain-id is specified, the default domain-id (1) will be assigned.

Note (3): The VSX management and synchronization circuits can be configured without a domain-id. These circuits will use the default domain (1).

Workaround

As a temporary workaround, the VAP group can be reduced to one member by configuring the max-load-count to 1.