Unable to establish SIC on a VAP group with a single member

book

Article ID: 168135

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Customers may experience a problem establishing SIC after a new installation when configuring the management circuit without the increment-per-vap parameter. This article discusses proper configuration of management and synchronization circuits for Check Point application.After installing the Check Point application on a single member VAP group, customer is unable to establish SIC. A ping from the VAP to the Check Point management station may work, but Check Point management traffic (SIC) to the VAP is dropped by the NPM with the Drop reason "Load-balance failed".

Cause

When configuring management and synchronization circuits, it is necessary to use the parameter increment-per-vap. The management and synchronization circuits must be configured with the increment-per-vap parameter, even if the VAP group contains only one VAP.

Otherwise the NPM drops packets to the VAP when the application monitor reports an application failure. Since the Check Point application cannot be ready before SIC (and the first policy installation), the NPM drops the packets and it is impossible to establish SIC.

Resolution

The solution is to include the 'increment-per-vap' keyword which instructs the NPM to always pass the traffic for the specified destination IP address. The NPM applies another flow rule for increment-per-vap addreses which has a higher priority than the usual load-balance flow rule.

Example configuration of the management circuit with a single VAP:

circuit mgmt
device-name mgmt
vap-group fw
ip 9.9.9.1/24 9.9.9.255 increment-per-vap 9.9.9.1

Workaround

You can temporarily disable application monitoring on the VAP group to enable traffic load balancing regardless the application state.