topic Checkpoint BGP redistribution in General Topics

Checkpoint BGP redistribution

Sorin_Gogean — Fri, 09 Feb 2024 12:29:44 GMT

Hello Checkmates,

I'm coming back to you with another weird problem - as always 😄.

As we're deploying SDWan, we've identified that we want some certain sites, to be filtered from the rest of the network. So in order to achieve that, we separated them in a different VRF (vrf840) . This separated network (several sites) has the default gateway pointed to an Checkpoint cluster.

As we are distributing all those networks through BGP, we have set an BGP neighborship between SDWAN box (AS65002 - Cisco) and Checkpoint firewall (AS65502). All works well, we are receiving the routes that are only part of VRF840 on Checkpoint.

Now with those routes, we want to re-distribute them from Checkpoint to the Distribution Core (AS65002 - Cisco). We did the set-up, and peered with the Core, BGP is UP and when we were checking, we were advertising several networks (as they were matching the redistribution rule).

We can clearly see on Checkpoint, that those routes are advertised but still when we check on Distribution Core, we can not see any routes received - like zero.

To be sure that we don't have other issues, we decided to redistribute a static route - like 1.2.3.4/32 - and that shows as well as being advertised, and curiously, we can see that on Distribution as received. But any other routes, except the static one, are not showing.

Did anyone faced similar issues, or do you have a similar set-up, that works or it was failing the same way?

Thank you,

PS: in the PPT I've tried to capture some details and schemas

PS2: I've opened a ticket with Checkpoint, and they are correct stating that as long as we can see networks showing as being advertised from Checkpoint, then there is nothing wrong here.

PS3: The involved HW is 15600 with R81 and JHF87, all the rest is Cisco

Re: Checkpoint BGP redistribution

AmirArama — Fri, 09 Feb 2024 13:37:19 GMT

Sorry for the stupid question, did you verify that the routes received wasn't filtered out/blocked by the core(routemap/etc) ? Or that maybe the routes are hidden/inactive?

Did you run packet capture on the CP & core side to find the actual bgp packet with the missing routes advertisement, and verify if it was sent from CP, and received on the core.

If all that didn't help, consider enable bgp debug on both devices

Re: Checkpoint BGP redistribution

the_rock — Fri, 09 Feb 2024 13:43:22 GMT

Good point about routemaps. Also, TAC asked me to enable debug nunch of times for BGP issues, they are helpful, for sure.

Andy

Re: Checkpoint BGP redistribution

Sorin_Gogean — Fri, 09 Feb 2024 13:58:19 GMT

Hello AmirArama,

Here are the details from Distrib Core - as you see it's showing that I receive 1 network - still as you check below, I advertise 3 networks from Checkpoint....

USDA-FW01> show bgp peer 10.2.3.10 advertise

IPv4 Route MED LocalPref Nexthop Communities
1.2.3.4/32 None N/A(EBGP) 10.2.3.1
10.5.101.24/29 None N/A(EBGP) 10.2.3.1 65432:2444
10.160.253.253/32 None N/A(EBGP) 10.2.3.1 65432:2444

USDA-FW01>

USDA-DIST-VSS(config-router-af)#do sh ip bgp all su
For address family: IPv4 Unicast
BGP router identifier 10.2.2.10, local AS number 65002
BGP table version is 1964305, main routing table version 1964305
2049 network entries using 508152 bytes of memory
2713 path entries using 368968 bytes of memory
419 multipath network entries and 838 multipath paths
320/298 BGP path/bestpath attribute entries using 92160 bytes of memory
260 BGP AS-PATH entries using 10736 bytes of memory
67 BGP community entries using 2704 bytes of memory
1 BGP extended community entries using 40 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 982760 total bytes of memory
Dampening enabled. 0 history paths, 0 dampened paths
67 received paths for inbound soft reconfiguration
BGP activity 98352/96303 prefixes, 1217580/1214867 paths, scan interval 30 secs
2211 networks peaked at 03:19:47 Oct 3 2023 EDT (18w3d ago)

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.2.11 4 65002 713518 741623 1964305 0 0 16w1d 54
10.2.2.12 4 65002 713237 741024 1964305 0 0 16w1d 51
10.2.2.15 4 65002 1178553 1241636 1964305 0 0 27w0d 383
10.2.2.25 4 65002 1176458 1241603 1964305 0 0 27w0d 383
10.2.2.35 4 65002 1201156 1241221 1964305 0 0 27w0d 680
10.2.2.55 4 65002 1168252 1241590 1964305 0 0 27w0d 707
10.2.2.65 4 65002 1167020 1241229 1964305 0 0 27w0d 0
10.2.2.250 4 64745 1167057 1167103 1964305 0 0 27w0d 4
10.2.3.1 4 65502 5446 5250 1964305 0 0 19:02:06 1
10.2.252.253 4 65402 2948599 3156486 1964305 0 0 1y21w 0
10.2.252.254 4 65402 2948599 3156410 1964305 0 0 1y21w 0
10.2.253.253 4 65402 3658420 4050054 1964305 0 0 1y38w 11
10.2.253.254 4 65402 3658267 4049650 1964305 0 0 1y38w 11
USDA-DIST-VSS(config-router-af)#

I did not do any debugs, because I don't think that advertising 3 routes, would mean 3 packets, and only one - the static one - is passed and accepted by Distrib Core.
An on this particular neighbor, on Distrib Core, I have an in routemap that allows everything. I even dropped it while with Checkpoint TAC and did not do any change.

Thank you,