topic Re: IS-IS protocol in FW CP. in Firewall and Security Management

IS-IS protocol in FW CP.

Matlu — Sun, 23 Mar 2025 15:27:44 GMT

Hello, Mates.

I have a problem with a FW CP which is working in bridge mode with 2 of its interfaces. I currently have 2 Routers.

R1 - - -- - R2

These 2 Routers are working with IS-IS and BGP. The problem is that when you put the FW in the middle, something like this:

R1 - - - - FW CP L2 - - -- - R2

IS-IS and BGP adjacency is dropping as well. I have a free policy to avoid drops, but still the session of these protocols is not up, and everything indicates that it is the CP, because the only thing I can do is a Rollback to get it working again.

Is there any way to confirm if the CP is voting IS IS sessions? I have used TCPdump, FW Ctl Zdebug, but I can't see anything relevant. Is it possible to filter the IS-IS or related traffic in some traffic capture?

Maybe concentrating on the interfaces which are part of the flow like Eth1-1 and Eth1-2?

Thanks for your comments.

Re: IS-IS protocol in FW CP.

the_rock — Sun, 23 Mar 2025 17:20:21 GMT

Hm, thats a bit tricky, since IS-IS does not use specific port number/protocol, so might be little tough to do any captures to discover if fw is dropping it. If you check the logs when you are testing it, do you see anything at all?

Andy

Re: IS-IS protocol in FW CP.

Matlu — Mon, 24 Mar 2025 01:08:24 GMT

Buddy.

Unfortunately I have not been able to capture something ‘important’ at the moment when the CP is in the middle, for the same reason that the commands did not show me relevant data.

For example, the zdebug did not show me anything, the tcpdump did not show me anything either, something quite strange.

Now the SmartConsole logs do show me traffic but it is multicast traffic, and I don't understand that.

R1 has IP x.x.160.161 and R2 x.x.160.162

And the only thing you see in the logs is traffic from these IPs at that time of testing but the destination shows MULTICAST traffic and nothing relevant to IS-IS between both IPs.

I asked ChatGPT and he sent me to capture traffic in tcpdump for a layer 2 protocol that is '0x83'

I will have to try it.

Re: IS-IS protocol in FW CP.

the_rock — Mon, 24 Mar 2025 01:31:20 GMT

Hm, that is indeed odd. Let me do some tests tomorrow in my lab as well.

Andy

Re: IS-IS protocol in FW CP.

PhoneBoy — Mon, 24 Mar 2025 21:37:15 GMT

Unless you've enabled and configured IS-IS routing on the gateway, I doubt we're doing anything.

Re: IS-IS protocol in FW CP.

the_rock — Mon, 24 Mar 2025 21:40:08 GMT

See if you can run some of below commands in clish?

Andy

R82> show isis
database - Show the contents of the IS-IS link-state database
errors - Show IS-IS errors
export-routemap - Show all routemaps for IS-IS export policy
hostnames - Show the IS-IS dynamic hostname list
interface - Show an IS-IS interface
interfaces - Show all IS-IS interfaces
ipv6 - Show IS-IS IPv6 multi-topology information
neighbor - Show an IS-IS neighbor
neighbors - Show all IS-IS neighbors
packets - Show IS-IS packets sent / received
summary - Show a brief summary of IS-IS running state
topology - Show IS-IS paths to other intermediate systems

Re: IS-IS protocol in FW CP.

Matlu — Mon, 24 Mar 2025 22:12:08 GMT

We are only supposed to be working the CP as L2.
It has only 2 interfaces in bridge mode, 1 of them goes to R1 and the other to R2.
So, it does not make sense that when we put the device it is downloading the IS-IS session if it is acting as a L2.
It does not make sense to me.

Re: IS-IS protocol in FW CP.

the_rock — Mon, 24 Mar 2025 23:22:07 GMT

Hey bro,

So, if thats the case, fw itself would not be doing any IS-IS traffic, it would be more of a "pass-through", for the lack of better term. Just run those commands I sent before from clish and send them over.

Andy