Hello all, I would like to re-open this discussion with you. I'm having some issue with Cisco ACI PBR and checkpoint VSX firewall.

Basically, we have two Checkpoint VSX chassis in HA mode (Active/Standby). Within these chassis, a context (a virtual firewall cluster) dedicated to PBR (implemented in one arm mode). Within VSX, there is one IP address shared between the nodes in the cluster but two different mac address. therefore, when you failover, the IP move accross but the mac changes. In ACI, in the policy redirect protocol, you can only specify one mac address linked to a single IP address. You can't have two mac addresses with the same IP. Therefore, when i failover, PBR doesn't work unless i manually update the mac-address in the policy redirect protocol object.

My question is: how did you fix this issue? is there a way in ACI to do differently or is there a way on VSX for the cluster to use the same IP and the same mac-address? I've tried the vmac feature but it has created instability.

Thank you.

Hi,

we are using the vmac feature - what kind of instability are you experiencing?

regards

Arthur

Hi Arthur,

Thank you very much for your answer.

Basically, within VSX, we have 3 contexts: 2 are L3out (one internet and one B2B) and the third one is for the PBR. With vmac enabled and GARP on the BD related to the PBR context, the clusterXL mechanism fails over successfully (OS level) and PBR works fine. However, regarding the two other contexts, the MAC address of the VMAC doesnt seem to be propogated to the leaf. We are seeing GARP being sent. This is affecting all VS's and create instability on contexts related to the L3OUT. 

I guess I need to activate GARP as well on the L3OUT Level ( find how to) to make it works. 

Without using vmac, within ACI, you confirm that there is no way to setup 2 macs and a single IP in the L4-L7 policy-based re redirect, don't you?

Thank you very much for your help.

Kind Regards,

Alain.

Hi Arthur,

Please ignore my previous message. Vmac works well in fact in the 3 different contexts.

However, in the PBR one, the standby node once active definitely sent the GARP to the leaf switch (to update the endpoint table) but the leaf seems to ignore it.

Would you be able to share the config related to the BD? ( I mean the different options: so far, I've got arp flooding checked in the general tab and GARP in the L3 tab).

Thank you very much.

Hi,

Just for your information - we run Version 3.1(1i) and use a dedicated BD for our firewall.

I attached screenshots of our BD configs:

General Tab:

L3 Tab:

Hi Arthur,

Thank you very much.

We did exactly the same. A dedicated BD for the firewalls and the options you mentioned checked or unchecked accordingly.

The only difference is my version. We are on 4.1.

I will raise a TAC with Cisco and I will post the outcome in this discussion.

Thank you so much for your help.

Hi Arthur, All,

As promised, this is the solution to this problem.

We went to the bottom of this story.

Basically, when you have the option 'Rogue EP Control' enabled (that was our case) and when you do a lot of failovers in a short period of time, the fabric considers them as a potential threat and doesn't flip the IP/mac address to the failover firewall.

We fixed the issue by just clicking on 'disabled':

Best Regards,