Changes to the Source MAC Address

This section applies to all ClusterXL modes, both High Availability and Load Sharing.

How the Source Cluster MAC Address is Assigned

Cluster Members communicate with each other using the Cluster Control Protocol (CCP). CCP packets are distinguished from ordinary network traffic by giving CCP packets a unique source MAC address.

• The first four bytes of the source MAC address are all zero: 00.00.00.00
• The fifth byte of the source MAC address is a magic number. Its value indicates its purpose

  Default value of fifth byte	Purpose
  0xfe	CCP traffic
  0xfd	Forwarding layer traffic

• The sixth byte is the ID of the sending Cluster Member

Duplicate Source Cluster MAC Addresses: The Problem

When more than one cluster is connected to the same VLAN, if CCP and Forwarding Layer traffic uses Multicast MAC address for the destination, this traffic reaches only the intended cluster.

If the Broadcast MAC address is used for Destination for CCP and for Forwarding Layer traffic (and in certain other cases), cluster traffic intended for one cluster is seen by all connected clusters. If this traffic is processed by the wrong cluster, it will cause communication problems.

Duplicate Source Cluster MAC Addresses: The Solution

To resolve the issue, change the source MAC address (MAC magic ID) of the cluster interfaces connected to the broadcast domain in all but one of the clusters.

MAC magic has two modes, manual and automatic. Automatic is the default and the recommended mode. Do not use manual mode unless Check Point Support tells you to use it.

Note - For more details, see sk25977.

To change the MAC magic value:

1. Close all SmartConsole windows. To make sure, run the cpstat mg command on Security Management Server or in the context of each Domain Management Server.
2. Connect with GuiDBedit Tool (see sk13009) to Security Management Server or Domain Management Server.
3. In the upper left pane, go to Table > Network Objects > network_objects.
4. In the upper right pane, select the applicable Cluster object.
5. Press CTRL+F (or go to Search menu > Find) > paste cluster_magic > click Find Next.
6. In the lower pane, right-click on the cluster_magic > select Edit.
7. Delete the current value.
8. Enter the desired value and click OK:
   • To work in automatic mode (recommended mode), enter 254.

     254 is the default value and should already be set. If duplicate Source MAC addresses of CCP packets appear on the network even though automatic mode is set, then enter unique values for each cluster (manual mode).

   • To work in manual mode (only if instructed so by Check Point Support), enter an integer value between 1 and 253.

     Enter a unique value for each cluster in the domain.

9. Repeat steps 4-8 for each cluster.
10. Save the changes: go to File menu > click Save All.
11. Close the GuiDBedit Tool.
12. Connect with SmartConsole to Security Management Server or Domain Management Server.
13. Install the policy on the Cluster object.
14. Examine the MAC magic value on each Cluster Member:

    cphaprob mmagic

    All Cluster Members of the same cluster should have the save MAC magic value.

    Example:

    [Expert@MemberB:0]# cphaprob mmagic   Configuration mode: Automatic Configuration phase: Stable   MAC magic: 100 MAC forward magic: 254   Used MAC magic values: None.

To change the MAC magic ID during a Connectivity Upgrade (R80.10 and higher):

Before the upgrade, find out the current configuration mode.

1. Connect to one of the Cluster Members.
2. Run cphaprob mmagic

   The Configuration Mode field will show manual or automatic.

   If the configuration field is automatic, upgrade the cluster. The upgraded Cluster Member will learn the MAC magic value from a member that has not yet been upgraded (if a value exists). Select a value if no previous value exists.

   Note - If the configuration field shows manual, and you want to continue to use manual configuration, the same MAC magic value must be reused.

3. Before the upgrade, find the configured MAC magic value:
   • For R80.10 and higher, run: cphaprob mmagic
   • For R77.30, run: cphaconf cluster_id get
   • For R77.20 and below, run: fw ctl get int fwha_mac_magic
4. If you are working in manual mode, connect to the management server using GuiDBedit Tool:
   1. Connect with GuiDBedit Tool (see sk13009) to Security Management Server or Domain Management Server.
   2. In the upper left pane, go to Table > Network Objects > network_objects.
   3. In the upper right pane, select the applicable Cluster object.
   4. Press CTRL+F (or go to Search menu > Find) > paste cluster_magic > click Find Next.
   5. In the lower pane, right-click on the cluster_magic > select Edit.
   6. Delete the current value.
   7. Enter the previous value and click OK.
   8. Save the changes: go to File menu > click Save All.
   9. Close the GuiDBedit Tool.
5. Upgrade the Cluster Members. See the R80.20 Installation and Upgrade Guide.

   Note - When working in manual mode, the MAC magic value must be configured using GuiDBedit Tool before the first policy installation.

6. Connect with SmartConsole to Security Management Server or Domain Management Server.
7. Install policy on the cluster object.
8. Examine the MAC magic value on each Cluster Member:

   cphaprob mmagic

   All Cluster Members of the same cluster should have the save MAC magic value.