Auto last hop enabled with Checkpoint firewall

The Checkpoints running VRRP? Actually I'm not sure that matters in this scenario. Auto Last Hop is normally globally enabled by default so I'm surprised you're having issues.

 

 

So the ICMP gets back to the firewall, what does the firewall do? Or did you capture on the F5 and see the traffic get sent to the firewall?

The checkpoints are not running VRRP Cluster XL. I ran captures on both the Firewall and F5. The ICMP traffic gets to the F5 and The Checkpoint receives it back from the F5. You can ping the Virtual servers from the Checkpoint, however the ICMP responses never gets back to my terminal on the inside network. Once I turn Auto last hop off on the vlan on the F5 I get replies at my terminal.

Forgive me if I'm stating the obvious but;

 

 

1) What does the firewall do with the packets as they are clearly being dropped here. What do the logs say?

 

2) Have you compared packet captures on the F5 with ALH on and then off to see if anything changes?

Thanks Steve for Replying. The packets does noy get dropped the logs say they are passing. The packets captures look the same both devices are receiving and sending back over the correct interfaces. I know with ALH on the packet is sent back via mac instead of the default route for some reason when the Checkpoint gets the request back from the F5 it never sends it back to the internal host (myself). We are running VMAC on our Checkpoint Cluster.

Regarding the captures on the F5, do any of the MAC addresses change, either source or destination? My suspicion is that the source or destination (most likely) MAC changes with ALH on, can you double-check?

Below is the mac-address that show in the tcpdump on the F5. The first mac is the Firewall the second is the mac from the F5. The Mac does not change at least from the F5 stance.

 

 

16:13:54.712784 00:1c:7f:3f:49:b2 > 00:23:e9:02:98:c9,

 

16:13:54.712799 00:23:e9:02:98:c9 > 00:1c:7f:3f:49:b2

Below is the mac-address that show in the tcpdump on the F5. The first mac is the Firewall the second is the mac from the F5. The Mac does not change at least from the F5 stance.

 

 

16:13:54.712784 00:1c:7f:3f:49:b2 > 00:23:e9:02:98:c9,

 

16:13:54.712799 00:23:e9:02:98:c9 > 00:1c:7f:3f:49:b2

And if you display the ARP cache on the LTM, does the ARP entry for the firewall IP list the same MAC?

No this Mac does not show in the Cache. We use a transit network between the 2 devices.

OK, so the MAC you listed earlier isn't actually the firewall MAC, it's the MAC of the next hop towards the firewall?

 

 

Can you run a packet capture on the firewall and see where the packet goes?