Auto last hop enabled with Checkpoint firewall

The packet goes over the transit interface to the F5 and the reply comes back from the F5 according to the packet Capture. The question is what is the different with ALH on that the Checkpoint does not forward the ICMP request

 

 

00:1c:7f:3f:49:b2 > 00:23:e9:02:98:c9,

 

00:23:e9:02:98:c9 > 00:1c:7f:3f:49:b2,

Well, if you've closely checked the packet capture on the F5 with ALH enabled and disabled and can't see a difference in MACs, packet sizes, headers or anything else then I've really no idea I'm afraid.

 

 

Again, can you run a packet capture on the firewall and see where the packet actually goes?

The ICMP packet is going the right direction, The one thing is we are running GAIA on our Firewall cluster, I am wonder if someone has this same setup with ALH on and going thur a Checkpoint Firewall cluster with GAIA loaded. It seems like the F5 sends back the reply but the Checkpoint never sends it back to the Internal network. We had to turn ALH on to resolve a issue with Servers talking to the Virtual servers. Thanks for the replies Steve if you can think of anything else or if anyone in the community has this setup.

Perhaps you can provide some more detail on why you feel you need ALH on, maybe we can solve that issue another way?

The issue came up that Servers on the vlans off the F5 were unable to access the Virtual server ip address. Once we turned ALH on they were able to reach the Virtual address, however as a result we are now unable to ping the Virtual servers from our Internal network. The Checkpoint Firewall cluster that the F5 LTMS have transit connections to are able to ping them.We have ALH turned on for these transit networks.

The issue came up that Servers on the vlans off the F5 were unable to access the Virtual server ip address. Once we turned ALH on they were able to reach the Virtual address, however as a result we are now unable to ping the Virtual servers from our Internal network. The Checkpoint Firewall cluster that the F5 LTMS have transit connections to are able to ping them.We have ALH turned on for these transit networks.

OK, are the servers on a VLAN directly attached to the F5? Is the F5 the default gateway for those VLANs? What I'm trying to establish is if the F5 needs to route to those servers if ALH is off.

i agree with Steve. when turning auto lasthop on, the issue could relate to how checkpoint uses mac address. when auto lasthop is turned off, route has to be added.

 

 

sol9487: BIG-IP support for neighboring VRRP/HSRP routers

 

http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9487.html

Yes the servers are on the same subnet as the F5's The gateway for the subnets themsleves are the checkpoint, we have a special subnet for the Virtual addresses, that when a transaction comes in it goes thru the checkpoints, to the F5 and than to the server. We do have default routes setup for all the transit networks back to the checkpoint. Before we turned ALH on to fix a issue we were able to ping the Virtual address the tcpdumps do show the ICMP packet talking between the devices. I agree that with ALH on the issue is related to the way Checkpoint uses the mac address.