https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152842#M25525 <P>I've tested and that did appear to do the trick <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; Thanks heaps!&nbsp; Much better than what I was told to change was fwha_cluster_hide_active_only 0 kernel value.</P><P>&nbsp;</P><P>I hope this doesn't re-introduce the problem we had where another FW rebooting caused OSPF to drop on the check point but will cross that bridge if it still happens on R81.10 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; TAC advised for that case to enable GR and GR-Helper so touch wood we don't encounter that again.</P> Wed, 13 Jul 2022 00:03:35 GMT cem82 2022-07-13T00:03:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152083#M25145 <P>Hi</P><P>After upgrading from R80.30 to R81.10 (active/standby ClusterXL) we have found that whenever the cluster is failed over we loose OSPF and advertised routes. This was working fine when on R80.30 with the same clish config with the router-ID set as the VIP on both cluster members.&nbsp; When under stable conditions, we do see the OSPF routes sync'd to standby but historically if we did "show ospf neighbors" we would see the same as on the active.&nbsp; Now we see none on the standby.&nbsp; After a few min on either side of the cluster everything is fine again, is just upon failover for a few min things drop</P><P>Is there some other config or anything required for on R81.10?&nbsp; I didn't notice anything in the clusterXL or advanced routing admin guides.</P><P>Thanks</P> Thu, 30 Jun 2022 03:04:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152083#M25145 cem82 2022-06-30T03:04:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152095#M25146 <P>R81.10 with JHF T55 is working well with OSPF in a cluster environment from customer testing that I've been involved with.</P> Thu, 30 Jun 2022 06:54:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152095#M25146 Chris_Atkinson 2022-06-30T06:54:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152097#M25147 <P>We're also running JHF take 55.&nbsp; Do you need to do anything additional above the type of thing below or clusterXL related</P><P>&nbsp;</P><P>set router-id &lt;cluster VIP&gt;</P><P>set ospf instance default area backbone on<BR />set ospf instance default interface &lt;interface&gt; area backbone on<BR />set ospf instance default interface &lt;interface&gt; priority 1</P><P>and any associated route-filters / route redistribution.&nbsp; There are a few other OSPF modifications along with "set ospf instance default" but nothing that I could imagine as causing problems since were also there prior to upgrade.</P> Thu, 30 Jun 2022 07:24:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152097#M25147 cem82 2022-06-30T07:24:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152098#M25148 <P>What allowances have been made in the security policy itself for OSPF &amp; IGMP?</P> <P>Is graceful restart configured in your case?</P> Thu, 30 Jun 2022 07:24:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152098#M25148 Chris_Atkinson 2022-06-30T07:24:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152099#M25149 <P>FW policy hasn't changed at all for some time prior to or after the upgrade so would imagine that'd be fine.&nbsp; Graceful restart and graceful-restart-helper are both enabled.&nbsp; When looking at smartlog for src or dst of either cluster member or cluster object there are no drops.</P> Thu, 30 Jun 2022 07:29:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152099#M25149 cem82 2022-06-30T07:29:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152101#M25150 <P>Graceful restart is new to R81.10 so if your comparing to R80.30 you should disable it for a like-for-like comparison.</P> <P>R81.10 "OSPFv2 Graceful Restart in ClusterXL (RFC standard)" Source&nbsp;sk98226</P> <P>&nbsp;</P> <P>The above may seem contrary to what you might expect but you'll note the following stated in&nbsp;<SPAN>sk95968</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OSPF CXL.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17076iBD7F0DA0F563663E/image-size/large?v=v2&amp;px=999" role="button" title="OSPF CXL.png" alt="OSPF CXL.png" /></span></P> Thu, 30 Jun 2022 08:22:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152101#M25150 Chris_Atkinson 2022-06-30T08:22:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152105#M25182 <P>Thanks for pointing that out, when looking at the admin guide it seems to refer to that only for VRRP clusters?&nbsp; As part of a TAC case it was recommended (and did) after enabling graceful-restart-helper (graceful restart was already enabled) to resolve an issue we had on another cluster running 80.30 to enable graceful-restart-helper.</P><P>&nbsp;</P><P>Hopefully when I upgrade the other cluster the other issue doesn't break again if this is the fix to disable GR <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 Jun 2022 08:49:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152105#M25182 cem82 2022-06-30T08:49:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152842#M25525 <P>I've tested and that did appear to do the trick <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; Thanks heaps!&nbsp; Much better than what I was told to change was fwha_cluster_hide_active_only 0 kernel value.</P><P>&nbsp;</P><P>I hope this doesn't re-introduce the problem we had where another FW rebooting caused OSPF to drop on the check point but will cross that bridge if it still happens on R81.10 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; TAC advised for that case to enable GR and GR-Helper so touch wood we don't encounter that again.</P> Wed, 13 Jul 2022 00:03:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152842#M25525 cem82 2022-07-13T00:03:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152844#M25526 <P>I understand why they would recommend that and perhaps warrants it's own TAC investigation to determine why GR didn't perform in the way indicated be it configuration on the peer (missing GR helper) or other issue (especially if it persists with T66 and higher).</P> Wed, 12 Oct 2022 06:37:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/m-p/152844#M25526 Chris_Atkinson 2022-10-12T06:37:09Z