R80.30 routing issue with ospf and VPN

SPM — Mon, 23 Dec 2019 12:16:51 GMT

I have a deployment with two Sites, at each sites there is a checkpoint CP1 and CP2, which are connected by Site-to-Site VPN (Routed VPN, numbered vti).

Here is a simplified description:

Subnet1, Subnet2 <----> Switch1 <--ospf--> CP1 <------- Routed VPN, ospf -----> CP2 <--ospf--> Switch2 <---> Subnet3, Subnet4

CP1 have LAN address 192.168.1.1 (subnet1), CP2 have LAN address 172.16.1.1 (Subnet3)

All Subnets are in different VLANs and routable on switches. There are corresponding vlan interfaces with .254 address on switches

This setup was working fine on R77.30.

But on R80.30 I have some weird routing issue.

I cannot access CP1 LAN address 192.168.1.1 from Subnet2 (192.168.2.0/24)

On CP1 I have static route to 192.168.2.0/24 subnet with lower rank then OSPF route to the same subnet

I verified that static route is Active, not OSPF

All firewall rules are in place. The issue not in that. I see that traffic is not blocked.

Investigating I found out following

If there is no tunnel between CP1 and CP2, and ospf between Switch1 and CP1 enabled, then no issue, I can access CP1 from Subnet2
If the tunnel between CP1 and CP2 working, but ospf between CP1 and Switch1 disabled, then there is also no issue
So as long as ospf between Switch1 and CP1 enabled, and VPN between CP1 and CP2 up I have that issue.
Disabling/Enabling ospf in VPN between CP1 and CP2 have no effect

I don’t understand how that is happening and why.

Investigating further, I stumbled on this:

CP1 have interfaces

eth0 – LAN (192.168.1.1)

eth2 – Internet

In both cases (when the issue exists and when not) commands

>Show route

#routed –n

ip route

Shows correct routing table, thru correct interfaces (eth0) to Subnet2 (192.168.2.0/24) destination

>show route

S 192.168.2.0/24 via 192.168.1.254, eth0, cost 0, age 48031

#route -n

192.168.2.0 192.168.1.254 255.255.255.0 UG 0 0 0 eth0

#ip route

192.168.2.0/24 via 192.168.1.254 dev eth0 proto 7

But command #ip route get 192.168.2.0/24 shows when no issue

192.168.2.0 via 192.168.1.254 dev eth0 src 192.168.1.1

And when routing issue

192.168.2.0 via 192.168.1.254 dev eth2 src 192.168.1.1

So basically it is showing that it will be sending packets thru eth2 not eth0.

Why ?? from where the hell it comes from

the only route that is should be thru eth2 is static default route to ISP gateway

To get more confused when issue exists I can easily access Internet resources from Subnet2,

And I can connect by VPN to CP1 (I have it configured) and access computers in Subnet2

So this routing issue only affects packets that is coming from CP1 itself and does not affect packets that is just passing thru

If look at CP2 from Subnet4 the issue is the same

Any ideas what is going on.

Re: R80.30 routing issue with ospf and VPN

Maarten_Sjouw — Mon, 23 Dec 2019 18:11:43 GMT

Keep in mind that the VPN domain overrides the routing table, so be sure to set those correct for each FW.
It really sounds like you have network 192.168.2.* in the remote VPN domain.

Re: R80.30 routing issue with ospf and VPN

SPM — Mon, 23 Dec 2019 23:17:55 GMT

I have a Routed VPN, not Domain based VPN. So VPN Domain just an empty group.

topic Re: R80.30 routing issue with ospf and VPN in General Topics

R80.30 routing issue with ospf and VPN

Re: R80.30 routing issue with ospf and VPN

Re: R80.30 routing issue with ospf and VPN