Proxy ARP does not work with VLAN tagged circuits on Check Point VSX NGX R65When Check Point VSX NGX R65 receives an ARP request on a tagged circuit, it does not consider the VLAN tag and sends the ARP reply untagged.
When you experience this problem, you see an incomplete ARP entry on neighbor device. There is no connectivity problem at interface level and correct proxy ARP configuration on VSX , e.g.:
1) ARP entry on neighbor router for a given NATed IP address is incomplete:
Cisco#show ip arp vlan 150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.150.243 0 Incomplete ARPA
2) ARP definition in the file local.arp is set correctly for the IP address and active:
vsx_1 (CBS): [vs0] conf$ fw ctl -vs 1 arp
(192.168.150.243) at 00-03-d2-e0-09-c9 interface 192.168.150.201
This issue has been identified as a Check Point problem. The firewall ignores VLAN interfaces when responding to ARP requests.
Check Point developed a hotifx for this issue. Contact Check Point support and request the hotfix fw1_HOTFIX_ECUADOR2_NO_UF_HF_BASE_141 or newer. You can also reference the SR 11-149793441.