topic Re: OSPF Not Coming Up - Showing Auth Error in Firewall and Security Management

OSPF Not Coming Up - Showing Auth Error

subrun_jamil — Fri, 24 Jun 2022 20:41:05 GMT

I am working to bring the ospf, Look like it is throwing Auth error all the time. I doubt at the checkpoint side I am missing something.

What could be the issue ? It is a new setup and there are no SmartDash Board Server Installed at the moment. Plan was to make the OSPF Connectivity. At the moment there are no initial rules at this Firewall. So accepting all traffic.

Debug log from cisco Side ( which is other side of the ospf neighbor ).

Jun 23 10:52:42.860 AST-Sum: OSPF-1 ADJ Vl2573: Rcv pkt from 10.7.248.26 : Mismatched Authentication key - ID 3.

Cisco Side OSPF Config

interface Vlan2573

description XXXXXXXXXXXXXX

ip address 10.7.248.25 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 3 md5 7 XXXXXXXX

Re: OSPF Not Coming Up - Showing Auth Error

Vladimir — Sat, 25 Jun 2022 00:48:27 GMT

If there are no initial rules on the firewall, you are actually dropping all traffic, including OSPF:

From Admin Guide: "Until the Security Gateway administrator installs the Security Policy on the Security Gateway for the first time, security is enforced by an Initial Policy.

The Initial Policy operates by adding the predefined implied rules to the Default Filter policy.

These implied rules forbid most communication, yet allow the communication needed for the installation of the Security Policy. The Initial Policy also protects the Security Gateway during Check Point product upgrades, when a SIC certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration."

To allow OSPF until policy is configured and installed:

Execute "fw unloadlocal" in expert mode on this gateway, IF IT IS NOT in production, to actually remove the default policy.

If you need for routing to work while in wide-open state, execute "echo 1 > /proc/sys/net/ipv4/ip_forward"

That last one is actually courtesy of @Timothy_Hall .

To properly configure your policy for OSPF, see sk39960.

Re: OSPF Not Coming Up - Showing Auth Error

the_rock — Sat, 25 Jun 2022 04:44:19 GMT

@Vladimir is 100% right. You NEED rules to allow ospf, period.

Re: OSPF Not Coming Up - Showing Auth Error

subrun_jamil — Sat, 25 Jun 2022 04:52:36 GMT

Hi @Vladimir @the_rock

thank you for your reply.

I used "fw unloadlocal" so I dont think OSPF is getting blocked. As I shared earlier it is throwing Auth Error. ( image attached before )

FW# cpstat -f policy fw

Product name: Firewall
Policy name:
Policy install time:
Num. connections: 0
Peak num. connections: 0
Connections capacity limit: 0
Total accepted packets: 0
Total dropped packets: 0
Total rejected packets: 0
Total accepted bytes: 0
Total dropped bytes: 0
Total rejected bytes: 0
Total logged: 0

Re: OSPF Not Coming Up - Showing Auth Error

Vladimir — Sat, 25 Jun 2022 05:16:46 GMT

Hmm...

I'm a bit surprised to see the packet counters at 0.

That said, there used to be issue in R77.30 days specific to OSPF auth due to mtu missmatch, sk109092.

Re: OSPF Not Coming Up - Showing Auth Error

Chris_Atkinson — Sun, 26 Jun 2022 03:04:53 GMT

Which version & jumbo is this Gateway installed with?

(Note OSPF network type point-to-point isn't supported if set on the Cisco side).

Re: OSPF Not Coming Up - Showing Auth Error

subrun_jamil — Sun, 26 Jun 2022 04:06:44 GMT

@Chris_Atkinson

Hello Chris,

Cisco side is not P2P OSPF.

Cisco Side OSPF Config

interface Vlan2573

description XXXXXXXXXXXXXX

ip address XX.XX.XX.XX 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 3 md5 7 XXXXXXXX

CP Version is 80.40 and Build is 309

Re: OSPF Not Coming Up - Showing Auth Error

subrun_jamil — Sun, 26 Jun 2022 04:08:07 GMT

hello @Vladimir

My version is R80.40. Will check to see if enabling Subtract Authlen resolves the issue

Re: OSPF Not Coming Up - Showing Auth Error

Chris_Atkinson — Mon, 27 Jun 2022 08:30:55 GMT

To clarify you already have the latest GA jumbo installed (JHF T158)?

What's the password complexity like, have you experimented with something simple?

Re: OSPF Not Coming Up - Showing Auth Error

subrun_jamil — Mon, 27 Jun 2022 14:56:28 GMT

Hello @Chris_Atkinson

After setting key with a 16 character one it got resolved. 8)

To clarify you already have the latest GA jumbo installed (JHF T158)? -- I do not know how to check this. Can you suggest ?

Thanks for your intention to constantly trying to help me.

@the_rock @Vladimir @Chris_Atkinson

Re: OSPF Not Coming Up - Showing Auth Error

the_rock — Mon, 27 Jun 2022 15:00:26 GMT

If you need to check anything, I got working ospf/bgp in the lab on latest R81.10 jumbo 61 version, so happy to show you.

Re: OSPF Not Coming Up - Showing Auth Error

Chris_Atkinson — Mon, 27 Jun 2022 15:20:08 GMT

Glad it's resolved.

From the CLI in Expert mode on the Gateway: "cpinfo -y all"

This should output the currently installed hotfix level information.