topic Re: BGP routes are missing after ClusterXL failover in Firewall and Security Management

BGP routes are missing after ClusterXL failover

Wei_Soon_Heng — Mon, 06 Sep 2021 11:29:14 GMT

Hi All,

I am facing a strange issue whereby the BGP session is established successfully with fw02 after failover but are unable to get advertised BGP Routes from SDWAN VeloCloud. Both CheckPoint firewalls are enabled with graceful restart options.

BGP session and routes are working good when fw01 is the active member.

Below is my topology:
Cisco Nexus (AS X)<---> CheckPoint Cluster(AS X) <----> SDWAN VeloCloud (AS Y)

After searching the /var/log/routed.log , There are some lines showing that CP GAIA OS is not supporting some capabilites of BGP,

Please refer to log below:
Sep 6 11:05:30.940081 bgp_get_open(3073): peer 10.25.x.x+21144 (proto) has provided 4 Byte AS 6xxxx
Sep 6 11:05:30.940081 bgp_get_open: peer 10.25.x.x+21144 (proto) received unrecognized capability 69. Ignoring capability 69
Sep 6 11:05:30.940081 bgp_get_open: peer 10.25.x.x+21144 (proto) received unrecognized capability 73. Ignoring capability 73
Sep 6 11:05:30.940081 bgp_pp_recv: Receiving OPEN from peer 10.25.x.x +15501 [eBGP AS 6xxxx] in ESTABLISHED state, entering Graceful Restart Helper mode
Sep 6 11:05:30.940081 bgp_event: peer 10.25.x.x+15501 [eBGP AS 6xxxx] old state Established event RecvOpen new state Idle
Sep 6 11:05:30.940081 bgp_graceful_restart_close_stale_connection: Peer 10.25.x.x+15501 [eBGP AS 6xxxx] does not support non-stop forwarding for any AFI/SAFI, remove all routes from him
CHANGE X.X.X.X /31 gw 10.25.x.x BGP
pref 170/- metric /100 bond2.43 <Ext|Delete|Gateway> as 6xxxx
CHANGE X.X.X.X /24 gw 10.25.x.x BGP
pref 170/- metric /100 bond2.43 <Ext|Delete|Gateway> as 6xxxx
CHANGE X.X.X.X /32 gw 10.25.x.x BGP

It is resolved by disabled the graceful restart feature in fw02 only. So I having fw01 (enabled graceful restart) and fw02(disabled graceful restart).

Hope someone enlighten on why it is still working at fw01 even this fw is enabled with graceful restart options?

FW version is R80.40 with jhf take 102.

Thanks

Re: BGP routes are missing after ClusterXL failover

vinceneil666 — Mon, 06 Sep 2021 08:58:29 GMT

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116189-problemsolution-technology-00.html

I am not sure if this will actually fix it, but I had a similar issue sone time back that got resolved setting the non-capabilities on the Cisco end.. Also, I think that there has been some fix for this in R81.10

What CP version are you rinning ?

Re: BGP routes are missing after ClusterXL failover

the_rock — Mon, 06 Sep 2021 11:12:58 GMT

I had seen this before and firewall reboot had to be done to fix it.

Re: BGP routes are missing after ClusterXL failover

Wei_Soon_Heng — Mon, 06 Sep 2021 11:30:49 GMT

FW is running version R80.40 with jhf take 102.
Unfortunately, the peer is not Cisco, it is SDWAN VeloCloud device.

Re: BGP routes are missing after ClusterXL failover

Wei_Soon_Heng — Tue, 07 Sep 2021 10:01:36 GMT

problem still exists after reboot of problematic secondary fw

Re: BGP routes are missing after ClusterXL failover

the_rock — Tue, 07 Sep 2021 11:35:03 GMT

I would open TAC case...cant find much on those errors at all. If reboot did not clear it, there could be a bigger issue here.

Re: BGP routes are missing after ClusterXL failover

Andre_K — Tue, 07 Sep 2021 11:43:41 GMT

Make sure your 'import-routemap' configuration matches on both firewall members, it seems like your BGP peering is up but you're not accepting any BGP routes due to a missing routemap.

Re: BGP routes are missing after ClusterXL failover

the_rock — Tue, 07 Sep 2021 12:27:59 GMT

Another thing that came to my mind was maybe do a quick comparison of BGP on both members...just go to clish and run show bgp, hit tab and it will give you all the options to run the command. Its possible something might be missing on the fw2 member. Just a thought...

Re: BGP routes are missing after ClusterXL failover

Chris_Atkinson — Mon, 13 Sep 2021 11:04:32 GMT

Is it a clean install or in-place upgrade from an older version?

I would check the route-maps / filter lists are uniform on both but also verify FIBMGR traffic per sk109401.