This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lphilp01
Participant
Friday
Jump to solution

BGP Routing issue

 3600 gateways running R82 Take 60 gateways managed by R82.10 SMART-1 Cloud

I have been noticing issues with a Route based VPN that connects two sites at our company since we upgraded the gateways up to R82. Prior to this the VPN functioned just fine. Been doing some reading today and one article suggested it may be a problem with dynamic routing configuration, so I had a look see.

When the new gateways were built they were put on temporary IPs and run in parallel with the old gateways. Once we were confident they were configured correctly and all traffic was flowing the old gateways were retired and the new gateways were moved on to the original gateway IPs so we could give the temporary IPs back to our datacentre host company.  

It appears that the engineer that built them for us forgot to change the BGP Router IDs to match the WAN IP when the IPs were changed over. Both gateways still have the temporary IPs as their BGP Router IDs.

Is someone able to guide me on how I amend the BGP Router IDs. I assume I must do it in Clish, as GIAI wont let me as its in use, but am unsure of the steps and commands. 

Hoping the community can guide me 🙂

 

1 Solution

Accepted Solutions
lphilp01
Participant
10 hours ago
In response to the_rock
Jump to solution

I have solved it.

In GIAI

  1. Removed the BGP ASN - this cleared the BGP config
  2. Changed Global Settings - Router ID set to correct IP Address
  3. Removed the VTI - in my case vpnt1

In Smart Console

  1. Opened the Gateway object > Network Management
  2. Get Interfaces with Topology
  3. Installed policy
  4. VPN Communities - opened the community and edited
    1. In R82.10 you can specify the BGP config on the Route Based VPN and it builds it for you
    2. new VTI and ASN numbers auto asigned, link rebuilt with routing included
    3. Installed policy

Tested all working as expected and no more errors showing. Hopefully that is the end of it all now.

Thanks all for guidance

 

View solution in original post

10 Replies
the_rock
MVP Diamond
MVP Diamond
Saturday
Jump to solution

I believe its set router-id, but below should cover it.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/T...

Best,
Andy
"Have a great day and if its not, change it"
lphilp01
Participant
Saturday
In response to the_rock
Jump to solution

Thanks for the reply, I really appreciate it.

I have already seen this and I was getting lost with it if I am honest. The guide spends a lot of time detailing how in GAIA, but I cant do this while its active as its all locked out.  When you get to clish part of the guide it becomes a big list of commands, which is great if you know which ones to use in which order. 

I need to know how to release that lock/stop the service (whatever is required) , apply the change, restart the service, etc. I'm looking for a sequence commands on how do this.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Saturday
In response to lphilp01
Jump to solution

You can try run restart bgp command and see if that helps. However, if not, then I would verify with TAC if there is another way to di it, but if not, Im afraid you may need to delete the bgp config and reconfigure it using same settings, just different router ID.

Best,
Andy
"Have a great day and if its not, change it"
lphilp01
Participant
Saturday
In response to the_rock
Jump to solution

Thanks again. I wil have a rummage around the guide somemore and in clish, see if I can figure it out.

I have opened a ticket with our support. I will have to give them time to figure it out before they will escalate to CP for assistance. Which will be Tuesday at the earliest sadly. I was hoping I might be able to sort it over the weekend. 

Living in the hope that one day I get to work for a company that actually trains me to do the jobs expected of me.

(1)
the_rock
MVP Diamond
MVP Diamond
Saturday
In response to lphilp01
Jump to solution

If you allow remote, be free to message me, we can check together.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Saturday
Jump to solution

Is this a cluster and is the router-id set to the same address on both?

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Saturday
In response to Chris_Atkinson
Jump to solution

Hey Chris,

Lee and I connected offline, so will most likely do remote Monday. I will update the thread afterwards.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
lphilp01
Participant
10 hours ago
In response to the_rock
Jump to solution

I have solved it.

In GIAI

  1. Removed the BGP ASN - this cleared the BGP config
  2. Changed Global Settings - Router ID set to correct IP Address
  3. Removed the VTI - in my case vpnt1

In Smart Console

  1. Opened the Gateway object > Network Management
  2. Get Interfaces with Topology
  3. Installed policy
  4. VPN Communities - opened the community and edited
    1. In R82.10 you can specify the BGP config on the Route Based VPN and it builds it for you
    2. new VTI and ASN numbers auto asigned, link rebuilt with routing included
    3. Installed policy

Tested all working as expected and no more errors showing. Hopefully that is the end of it all now.

Thanks all for guidance

 

the_rock
MVP Diamond
MVP Diamond
9 hours ago
In response to lphilp01
Jump to solution

Excellent!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
lphilp01
Participant
yesterday
In response to Chris_Atkinson
Jump to solution

Standalone gateway

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events