This article describes a workaround and a solution for connectivity problems that can occur when connecting Check Point VSX Virtual Systems using external non-VLAN circuits.Intermittent connectivity problems occur when connecting Virtual Systems using external non-VLAN circuits.
Problem: When connecting Virtual Systems using an external circuit and NPM ports, the same flow is classified twice:
Doing so will create separate flow information entries for flows leaving and entering the circuits ext1 and ext2. Existing flow entries for the circuit1 and circuit2 will not be overwritten.
Unfortunately, it is not possible to modify the domain-id for an existing circuit. The circuit has to be deleted and recreated. When you create the circuit again, you specify a domain-id:
CBS# configure circuit circuit1 domain 21
Note: In order to delete a circuit, all references to this circuit need to be removed first (ip routes, dns server, logical interfaces, VRRP virtual routers, and so on).
Note: When using Check Point VSX-NGX, a Virtual Switch can be used to interconnect virtual systems. See the attachment for a diagram.
In general, Crossbeam recommends assigning different domain-ids for each circuit used by VSX.
Note (1): When VLAN circuits are created using SmartDashboard, a different domain-id is automatically configured for each circuit. (If support for overlapping IP's function is enabled).
Note (2): Non-VLAN circuits need to be created manually in the Crossbeam CLI. When no domain-id is specified, the default domain-id (1) will be assigned.
Note (3): The VSX management and synchronization circuits can be configured without a domain-id. These circuits will use the default domain (1).