https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174030#M1449 <P>Which Jumbo take is deployed in the environment?</P> <P>Graceful restart is typically relevant to failover scenarios as different to the symptoms you've described.</P> <P>Do you see the SMO / DR role change to a different SGM during this process?</P> Wed, 08 Mar 2023 14:15:05 GMT Chris_Atkinson 2023-03-08T14:15:05Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174027#M1448 <P>Dear Checkmates,</P><P>We have realized, that we obviously lose all sessions, when we add a new interface to our security group and add it into ospf.</P><P><FONT size="2"><EM>set ospf instance default interface bond1.2742 passive on</EM></FONT><BR /><FONT size="2"><EM>set ospf instance default interface bond1.2762 area 0.0.0.10 on</EM></FONT></P><P>Thus I would like to enable OSPF graceful-restart on our securitygroup.</P><P>(<FONT size="2"><EM>Although in some comment of C_Atkinson here on the forum it is mentioned, that graceful-restart should not be required, although it refers to Cluster XL?</EM></FONT></P><P><A href="https://community.checkpoint.com/t5/Security-Gateways/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/td-p/152083#" target="_self">https://community.checkpoint.com/t5/Security-Gateways/OSPF-drops-on-cluster-failover-since-R81-10-upgrade-from-R80-30/td-p/152083#</A>&nbsp;</P><P><FONT size="2"><EM>)</EM></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Is there anything I need to consider? We peer with Cisco Switches and I stumbled across:</P><P>"graceful-restart feature is an industry standard and Maestro supports it for both OSPF and BGP. That way you don't lose routes.&nbsp;graceful-restart must be supported by the peer and timers need to be in sync. The routes will stay while peering is built up after failover."</P><P>Can I assume this matches, since OSPF and graceful-restart helper already work?</P><P>Also I saw the following in the GUI:</P><P><FONT size="2"><EM>"OSPF Graceful Restart is incompatible with VRRP preempt" mode. Please disable preempt mode before configuring graceful restart"</EM></FONT></P><P>Since this is no VRRP Cluster and we already have graceful-restart-helper enabled, I think I can ignore this warning?</P><P>&nbsp;</P><P>Do you think it is safe to issue:</P><P><EM>set ospf instance default graceful-restart on</EM>&nbsp; ?</P><P>&nbsp;</P><P>Thanks in advance and BR,</P><P>Thomas</P><P>&nbsp;</P> Wed, 08 Mar 2023 13:08:02 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174027#M1448 T_Sonnberger 2023-03-08T13:08:02Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174030#M1449 <P>Which Jumbo take is deployed in the environment?</P> <P>Graceful restart is typically relevant to failover scenarios as different to the symptoms you've described.</P> <P>Do you see the SMO / DR role change to a different SGM during this process?</P> Wed, 08 Mar 2023 14:15:05 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174030#M1449 Chris_Atkinson 2023-03-08T14:15:05Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174033#M1450 <P>Hi Chris, thanks for the quick response:</P><P>We run:</P><P>HOTFIX_R81_10_JUMBO_HF_MAIN Take: 66</P><P>How could I see if the SM0 role changes?</P><P>&nbsp;</P><P>We were made aware of this through a team, which mentioned, that they have lost twice all sessions on their machines, and the timestamps matched exactly with the creation of some interfaces and adding them to OSPF.</P><P>I also could see, that our loadbalancer lost all connections to servers, sitting behind the firewall, at the same time</P><P>&nbsp;</P><P>The /var/log/meassges looked like:<BR /><FONT size="2"><EM>Feb 20 14:46:37 2023 security-group-ch01-01 clish[75447]: cmd by admin: Start executing : set ospf ... (cmd md5: 618860da39c8d871aec65ec33b6ebc30)</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:37 2023 security-group-ch01-01 clish[75447]: cmd by admin: Processing : set ospf instance default interface bond1.2204 area 0.0.0.10 on (cmd md5: 618860da39c8d871aec65ec33b6ebc30)</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: NETIS Message:vsxnet_send_rtnetlink_getlink_query failed to resolve if_type_str for magg0</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: NETIS Message:vsxnet_bond_status vsxnet_send_rtnetlink_getlink_query failed for magg0</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: instance name is [default]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Configuration changed from localhost by user admin</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed conf file is [/etc/routed0.conf]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed instance is [default]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: moving /etc/cprd_syntax_test_default to /etc/routed0.conf</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Using routed pid 68213 for 'default'</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure re-initializing from /etc/routed.conf</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: parse_instance_only: my_instance_id -1 parsing instance default</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure reinitializing done</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 clish[75447]: cmd by admin: Start executing : set ospf ... (cmd md5: f890304ce4e765ac409944891568858a)</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 clish[75447]: cmd by admin: Processing : set ospf instance default interface bond1.2204 passive on (cmd md5: f890304ce4e765ac409944891568858a)</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: instance name is [default]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Configuration changed from localhost by user admin</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed conf file is [/etc/routed0.conf]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed instance is [default]</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: moving /etc/cprd_syntax_test_default to /etc/routed0.conf</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Using routed pid 68213 for 'default'</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure re-initializing from /etc/routed.conf</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: parse_instance_only: my_instance_id -1 parsing instance default</EM></FONT><BR /><FONT size="2"><EM>Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure reinitializing done</EM></FONT></P><P><FONT size="3">Thanks in advance and BR,</FONT></P><P><FONT size="3">Thomas</FONT></P> Wed, 08 Mar 2023 13:41:11 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174033#M1450 T_Sonnberger 2023-03-08T13:41:11Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174037#M1451 <P>To see the current SMO &amp; DR manager (Dynamic routing manager) review the following command output from expert mode:</P> <P>asg stat -i tasks&nbsp;</P> Wed, 08 Mar 2023 13:59:02 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174037#M1451 Chris_Atkinson 2023-03-08T13:59:02Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174038#M1452 <P>Thank you:</P><P>This is the output - it seems it remained on 1 (though I can't prove that it has been 2 before)</P><P>Chassis 1:<BR />[Expert@security-group-ch01-01:0]# asg stat -i tasks<BR />--------------------------------------------------------------------------------<BR />| Task (Task ID) | Chassis 1 |<BR />--------------------------------------------------------------------------------<BR />| SMO (0) | 1(local) |<BR />| General (1) | 1(local) |<BR />| LACP (2) | 1(local) |<BR />| CH Monitor (3) | 1(local) |<BR />| DR Manager (4) | 1(local) |<BR />| UIPC (5) | 1(local) |<BR />| Alert (6) | 1(local) |<BR />--------------------------------------------------------------------------------<BR /><BR /></P><P>Chassis 2:</P><P>[Expert@vsecurity-group-01-ch01-02:0]# asg stat -i tasks<BR />--------------------------------------------------------------------------------<BR />| Task (Task ID) | Chassis 1 |<BR />--------------------------------------------------------------------------------<BR />| SMO (0) | 1 |<BR />| General (1) | 1 |<BR />| LACP (2) | 1 |<BR />| CH Monitor (3) | 1 |<BR />| DR Manager (4) | 1 |<BR />| UIPC (5) | 1 |<BR />| Alert (6) | 1 |<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P> Wed, 08 Mar 2023 14:00:26 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Enable-OSPF-Graceful-Restart-on-Maestro-Security-Group-R81-10/m-p/174038#M1452 T_Sonnberger 2023-03-08T14:00:26Z