04-11-2014 01:05 AM
Anybody here using Check Point's bond interfaces with static lag on ICX6610 (L2, v0.8)? I can't get it working with two cables attached to the lag at the same time.
Check Point version is R77.10 (running on Gaia). Bond is configured as Active/Backup and contains two physical interfaces (the primary interface on Check Point's bond corresponds to the primary port configured in the lag).
Here is the config:
lag "DMZ" static id 3
ports ethernet 1/1/1 ethernet 2/1/1
vlan 2 name DMZ by port
untagged ethe 1/1/1 ethe 1/1/10 ethe 2/1/1
lag "INTERNAL" static id 4
ports ethernet 1/1/2 ethernet 2/1/2
vlan 3 name INTERNAL by port
untagged ethe 1/1/2 ethe 1/1/20 ethe 2/1/2
Ports 'ethe 1/1/10' and 'ethe 1/1/20' are PCs plugged into relevant VLANs and pinging each other.
The issue is that it only works with one cable attached to the lag (either primary or secondary). If I connect both cables at the same time PCs can't ping each other anymore.
I can't figure out what's wrong.. the lag seems OK and from the Check Point side both ports are up but no pings are getting through.
=== LAG "DMZ" ID 3 (static Deployed) ===
Ports: e 1/1/1 e 2/1/1
Port Count: 2
Primary Port: 1/1/1
Trunk Type: hash-based
Deployment: HW Trunk ID 3
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
1/1/1 Up Forward Full 1G 3 No 2 0 cc4e.2416.f624
2/1/1 Up Forward Full 1G 3 No 2 0 cc4e.2416.f624
Any hints would be greatly appreciated.
Solved! Go to Solution.
04-11-2014 01:34 AM
Using Ckeck Point speak, change the firewalls to Load Sharing (Active/Active), as Active backup is used for connecting the firewall to different switches for fail over, while you have the 6610's setup for LACP (active/active).
You may want to have a look at https://sc1.checkpoint.com/documents/R76/CP_R76_VS
04-11-2014 01:48 AM
Many thanks Michael!
Yes, Load Sharing (Active/Active) works without any issues. So the only reason why it Active/Backup doesn't work is because we're terminating both legs at the same switch?