topic Re: BGP default route on standby member expected behaviour? in General Topics

BGP default route on standby member expected behaviour?

MattElkington — Wed, 11 Oct 2023 15:52:21 GMT

I have a cluster which is learning its default route via BGP, this works fine on the active member, but the standby never installs the route, so all communications that rely on the default route fail (updates.checkpoint.com for instance)

On failover its fine, as the default route appears immediatly when it becomes active, but whichever member is standby loses its default route, so more an annoyance than anything else.

This isn't occuring for OSPF, the standby member has all of the OSPF learnt routes with the exception of the ones hidden because they are directly connected ones.

If I add a manual static default (or specific route) pointing at the two BGP routers then everything works as intended, the standby has a default route but also folds the outbound traffic over the Sync interface and out through the active, however because (as I undertsand it) a static *always* takes precedence over a dynamic in Checkpoint land, this means that the static default overrides the BGP default.

Output of "show route all bgp" on Active:

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

B D 0.0.0.0/0 via XXX.YYY.ZZZ.249, eth1-01.500, cost 0, age 3223
B H i 0.0.0.0/0 via XXX.YYY.ZZZ.250, eth1-01.500, cost None, age 3196
B H i 0.0.0.0/0 via XXX.YYY.ZZZ.249, eth1-01.500, cost None, age 3195

On Standby:

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

Am I missing something obvious? Is it not passing the route to the standby becuase FIBMGR treats default 0.0.0.0/0 routes differently?

Re: BGP default route on standby member expected behaviour?

the_rock — Wed, 11 Oct 2023 20:52:04 GMT

I thought myself that was indeed right, but its not. I just checked in customer's environment and shows same on both active and standby.

Andy

Re: BGP default route on standby member expected behaviour?

Chris_Atkinson — Sun, 15 Oct 2023 02:40:20 GMT

What does the BGP config look like, could you please share the version/JHF of Gateway and if graceful-restart is configured for BGP?

Re: BGP default route on standby member expected behaviour?

the_rock — Wed, 11 Oct 2023 23:41:21 GMT

Since Chris asked about version/jumbo, our customer is on R81.20 jumbo 24. Only reason why we did not go to recommended jumbo was actually BGP issue another customer posted about in a different post.

Andy

Re: BGP default route on standby member expected behaviour?

Alex- — Thu, 12 Oct 2023 09:30:13 GMT

Static routes are not always preferred but depend of Rank. Static routes have a rank of 60 and BGP a rank of 170, so to add a floating route you need to configure one with a rank of a higher numerical value than 170.

Regarding your issue, routes should normally be synced between the two cluster members assuming they have the same configurations but you might be getting your default route from somewhere else when the cluster isn't active for some reason, or they might not be installed because of a configuration issue.

Ensure you have the same router-id and BGP configuration on both members and check the router-options as well.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminGuide/Topics-GARG/Routing-Options-Protocol-Rank.htm?tocpath=Routing%20Options%7C_____3

Re: BGP default route on standby member expected behaviour?

MattElkington — Thu, 12 Oct 2023 11:51:27 GMT

R81.20 JHF Take 26

Config for bgp is:

set nat-pool XXX.YYY.ZZ8.16/28 on
set nat-pool XXX.YYY.ZZ8.16/28 comment "Static NAT Range advertised via BGP"

set bgp default-med 0
set bgp default-route-gateway XXX.YYY.ZZ7.249
set bgp external remote-as ABCDE on
set bgp external remote-as ABCDE export-routemap "bgp_export" preference 1 family inet on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.249 on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.249 ping on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.250 on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.250 ping on

set inbound-route-filter bgp-policy 512 based-on-as as GHIJK.LMNOP on
set inbound-route-filter bgp-policy 512 accept-all-ipv4
set inbound-route-filter bgp-policy 512 default-localpref 0
set inbound-route-filter bgp-policy 512 default-weight 0

set routemap bgp_export id 1 on
set routemap bgp_export id 1 allow
set routemap bgp_export id 1 match network 0.0.0.0/0 all
set routemap bgp_export id 1 match protocol nat-pool
set bgp external remote-as ABCDE export-routemap bgp_export preference 1 family inet on

I do notice that if I remove "set bgp default-route-gateway XXX.YYY.ZZ7.249" that even the active gateway doesn't get a default route. So maybe its that its not learning the BGP Default, or at least not transferring to the kernel.

I feel like I'm missing something here central here, do I need to explicitly export the BGP routes to the kernel?

Re: BGP default route on standby member expected behaviour?

Alex- — Thu, 12 Oct 2023 11:54:19 GMT

You need an import route-map to install routes received from BGP.

Re: BGP default route on standby member expected behaviour?

MattElkington — Thu, 12 Oct 2023 15:59:31 GMT

Yep! That's the badger!

It was essentially me being an idiot. There's an inbound route filter for the internal BGP AS, but not the external one. That explains why the routes were flagging as Inactive and Hidden on the Active gateway.

This explains why OSPF routes work (they also have an inbound filter for all routes being accepted), but BGP doesn't as I wasn't bloody importing the BGP routes.

I have added an inbound route filter and now the two 0.0.0.0/0 routes from each peer are only showing as Inactive and not Hidden, but they are only inactive because i have

set bgp default-route-gateway XXX.YYY.ZZ7.249

set. I will remove that tomorrow morning and hopefully the actual BGP routes will be used on the active and not this "manufactured" default, and those will be pushed over to the standby.

Knew I was missing something important!!

Re: BGP default route on standby member expected behaviour?

MattElkington — Fri, 13 Oct 2023 16:18:26 GMT

I have confirmed today that actually importing the BGP routes to the kernel and disabling the

set bgp default-route-gateway XXX.YYY.ZZ7.249

setting makes it so the Active firewall actually uses the BGP learned default, and then passes it over tot he standby correctly.

All is now well in the world!

Re: BGP default route on standby member expected behaviour?

the_rock — Fri, 13 Oct 2023 16:57:38 GMT

Happy its working! 👍

Re: BGP default route on standby member expected behaviour?

cmale — Thu, 16 Apr 2026 13:41:17 GMT

I currently have an Active/Standby cluster and am trying to get BGP working. I have to BGP peers that are Established. When I check received routes, the default route from ISP-B is showing 'i' for Inactive. I am getting the full routes from the other ISP, ISP-A. I tried testing this by removing the physical link for ISP-A and I lose internet, I am assuming because the only route I am receiving from ISP-B is the default route, which is showing Inactive.

It sounds similar to the issue you were facing.

Thoughts?

Re: BGP default route on standby member expected behaviour?

Chris_Atkinson — Thu, 16 Apr 2026 14:10:46 GMT

Do you have inbound route filters or route maps matching the route?