topic Re: BGP peering is not coming up - Please help in Firewall and Security Management

BGP peering is not coming up - Please help

Blason_R — Sat, 01 May 2021 05:36:52 GMT

Hi Team,

I am configuring dynamic routing with AWS and on-prem check point gws in R80.30 using vti tunnels. CP is in VRRP cluster mode

This is eBGP and both are having different AS numbers. Now surprising thing is ipsec with AWS is up but somehow BGP peers are not coming up and at check point it still shows idle state.

I have proper policy configured to allow port 179 and can see packets coming in from AWS side
wanted to know if there is any way to capture the packets for port 179 so that I can see the udpates on Check Point firewall
What are other possibilities behind BGP not coming up?
If I see using netstat and port 179 is listening but tcpdump -nni any port 179 is not showing any packets.

Can someone pls help?

Re: BGP peering is not coming up - Please help

Blason_R — Sat, 01 May 2021 06:07:53 GMT

So , while debugging BGP I found below messages

May 1 11:18:20.840573 bgp_ifaddr_change(7101): Checking if interface change affects any peers
May 1 11:18:20.840573 bgp_set_nexthop_addresses(9735): 169.254.189.45 [eBGP AS 64512] No IPv4 address found to connect
May 1 11:18:20.840573 bgp_set_peer_ifaps(5383): 169.254.189.45 [eBGP AS 64512] Setting local nexthop addresses failed

Now since this is a VRRP cluster do I need to VPNt cluster IP in mcvr or in vrrp as well?

Even I tried adding but I am getting below error

add mcvr vrid 10 backup-address 169.254.189.46
WARNING this may take a while; please be patient
NMSMVR0266 No interface with net address 169.254.189.46

Re: BGP peering is not coming up - Please help

funkylicious — Sun, 02 May 2021 07:19:40 GMT

Is the 169.254.189.45 BGP peer arrive through the IPSec tunnel ?

I would also look into VTI's in order to configure BGP over VPN , something like this

In order to create a VRRP IP , you would need to have interface(s) in that network.

Re: BGP peering is not coming up - Please help

Blason_R — Sun, 02 May 2021 13:44:04 GMT

Well yes!! It is arriving through tunnel and I am seeing decrypted in logs.

The setup is done exactly as said here.

And to my surprise and I am not sure if I need to add mcvr address in the configuration for VTI with BGP?

Re: BGP peering is not coming up - Please help

funkylicious — Sun, 02 May 2021 15:57:37 GMT

Honestly, I'm just taking a wild guess here, but i think you need to create a tunnel interface like below and maybe then try the mcvr ip address.

Re: BGP peering is not coming up - Please help

Blason_R — Thu, 06 May 2021 08:03:25 GMT

Well there must be a issue with VRRP solution for sure. I converted this cluster to Cluster XL and bgp peering happened immediately. That means in vrrp cluster mode firewall was not able to pick up the cluster ip however it did with cluster xl.

Again would really apperciate if someone can confirm if this is a known limitation or if I hit any bug here?

Re: BGP peering is not coming up - Please help

Vladimir — Thu, 06 May 2021 13:00:12 GMT

BGP over VTIs with VRRP is not supported. Just bumped into similar issue with one of my clients recently.

You'll have to switch to CLusterXL to get it going.

Also, in our case, we were not trying to establish tunnels with AWS, but with one of our peers, but another issue appeared to be that the use of arbitrary IPs on VTIs that are not adjacent (i.e. belong to a different network) did not work.

We've had to use IPs with identical first three octets, otherwise, tunnels would come up, but BGP peering would not.

From TAC:

"I spoke with our dynamic routing focal today and we got confirmation from R&D that VTIs and VRRP are not supported together because VRRP can't work with point to point interfaces. It seems that in order to get this configuration to work we would need to use clusterXL. We will make sure that we get the documentation updated to make this clear."

Re: BGP peering is not coming up - Please help

Blason_R — Thu, 06 May 2021 13:40:03 GMT

This is really surprising. There is no Sk neither any official limitation confirms that BGP does not support over VRRP.

Re: BGP peering is not coming up - Please help

Vladimir — Thu, 06 May 2021 14:08:15 GMT

Yeah, I've spent some significant time trying to make it work in the absence of relevant SK.

One was promised as a result of thie SR opened for the case, but since you still cannot find anything, it was not published yet.