Proxy ARP does not work with VLAN tagged circuits on Check Point VSX NGX R65When Check Point VSX NGX R65 receives an ARP request on a tagged circuit, it does not consider the VLAN tag and sends the ARP reply untagged.
When you experience this problem, you see an incomplete ARP entry on neighbor device. There is no connectivity problem at interface level and correct proxy ARP configuration on VSX , e.g.:
1) ARP entry on neighbor router for a given NATed IP address is incomplete:
Cisco#show ip arp vlan 150 Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.150.243 0 Incomplete ARPA
2) ARP definition in the file local.arp is set correctly for the IP address and active:
vsx_1 (CBS): [vs0] conf$ fw ctl -vs 1 arp (192.168.150.243) at 00-03-d2-e0-09-c9 interface 192.168.150.201
This issue has been identified as a Check Point problem. The firewall ignores VLAN interfaces when responding to ARP requests.
Check Point developed a hotifx for this issue. Contact Check Point support and request the hotfix fw1_HOTFIX_ECUADOR2_NO_UF_HF_BASE_141 or newer. You can also reference the SR 11-149793441.
To workaround this issue, you have 2 choices:
Use only untagged circuits with Check Point proxy ARP
set the option hide-vlan-header in Crossbeam configuration for circuits that participate in proxy ARP.
You will have to set the flag
hide-vlan-header option manually for each individual circuit on which the ARP feature from Check Point needs to be used.
Similar problem has been documented for regular Check Point NGX R60 in Check Point article sk31951.
Imported Document ID: 000019070
Subscribing will provide email updates when this Article is updated. Login is required.