This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MattElkington
Contributor
‎2023-10-11 08:52 AM
Jump to solution

BGP default route on standby member expected behaviour?

I have a cluster which is learning its default route via BGP, this works fine on the active member, but the standby never installs the route, so all communications that rely on the default route fail (updates.checkpoint.com for instance)

On failover its fine, as the default route appears immediatly when it becomes active, but whichever member is standby loses its default route, so more an annoyance than anything else.

This isn't occuring for OSPF, the standby member has all of the OSPF learnt routes with the exception of the ones hidden because they are directly connected ones.

If I add a manual static default (or specific route) pointing at the two BGP routers then everything works as intended, the standby has a default route but also folds the outbound traffic over the Sync interface and out through the active, however because (as I undertsand it) a static *always* takes precedence over a dynamic in Checkpoint land, this means that the static default overrides the BGP default.

Output of "show route all bgp" on Active:

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

B D 0.0.0.0/0 via XXX.YYY.ZZZ.249, eth1-01.500, cost 0, age 3223
B H i 0.0.0.0/0 via XXX.YYY.ZZZ.250, eth1-01.500, cost None, age 3196
B H i 0.0.0.0/0 via XXX.YYY.ZZZ.249, eth1-01.500, cost None, age 3195

On Standby:

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

 

Am I missing something obvious?  Is it not passing the route to the standby becuase FIBMGR treats default 0.0.0.0/0 routes differently?

 

 

0 Kudos
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader
‎2023-10-12 04:54 AM
In response to MattElkington
Jump to solution

You need an import route-map to install routes received from BGP.

View solution in original post

9 Replies
the_rock
Legend
Legend
‎2023-10-11 01:52 PM
Jump to solution

I thought myself that was indeed right, but its not. I just checked in customer's environment and shows same on both active and standby.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-11 04:24 PM
Jump to solution

What does the BGP config look like, could you please share the version/JHF of Gateway and if graceful-restart is configured for BGP?

CCSM R77/R80/ELITE
0 Kudos
MattElkington
Contributor
‎2023-10-12 04:48 AM
In response to Chris_Atkinson
Jump to solution

R81.20 JHF Take 26

Config for bgp is:

set nat-pool XXX.YYY.ZZ8.16/28 on
set nat-pool XXX.YYY.ZZ8.16/28 comment "Static NAT Range advertised via BGP"

set bgp default-med 0
set bgp default-route-gateway XXX.YYY.ZZ7.249
set bgp external remote-as ABCDE on
set bgp external remote-as ABCDE export-routemap "bgp_export" preference 1 family inet on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.249 on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.249 ping on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.250 on
set bgp external remote-as ABCDE peer XXX.YYY.ZZ7.250 ping on

set inbound-route-filter bgp-policy 512 based-on-as as GHIJK.LMNOP on
set inbound-route-filter bgp-policy 512 accept-all-ipv4
set inbound-route-filter bgp-policy 512 default-localpref 0
set inbound-route-filter bgp-policy 512 default-weight 0

set routemap bgp_export id 1 on
set routemap bgp_export id 1 allow
set routemap bgp_export id 1 match network 0.0.0.0/0 all
set routemap bgp_export id 1 match protocol nat-pool
set bgp external remote-as ABCDE export-routemap bgp_export preference 1 family inet on

I do notice that if I remove "set bgp default-route-gateway XXX.YYY.ZZ7.249" that even the active gateway doesn't get a default route.  So maybe its that its not learning the BGP Default, or at least not transferring to the kernel.

I feel like I'm missing something here central here,  do I need to explicitly export the BGP routes to the kernel?

 

 

0 Kudos
Alex-
Leader Leader
Leader
‎2023-10-12 04:54 AM
In response to MattElkington
Jump to solution

You need an import route-map to install routes received from BGP.

MattElkington
Contributor
‎2023-10-12 08:59 AM
In response to Alex-
Jump to solution

Yep! That's the badger!

It was essentially me being an idiot.  There's an inbound route filter for the internal BGP AS, but not the external one.  That explains why the routes were flagging as Inactive and Hidden on the Active gateway.

This explains why OSPF routes work (they also have an inbound filter for all routes being accepted), but BGP doesn't as I wasn't bloody importing the BGP routes.

I have added an inbound route filter and now the two 0.0.0.0/0 routes from each peer are only showing as Inactive and not Hidden, but they are only inactive because i have 

set bgp default-route-gateway XXX.YYY.ZZ7.249

set.  I will remove that tomorrow morning and hopefully the actual BGP routes will be used on the active and not this "manufactured" default, and those will be pushed over to the standby.

 

Knew I was missing something important!!

 

0 Kudos
MattElkington
Contributor
‎2023-10-13 09:18 AM
In response to MattElkington
Jump to solution

I have confirmed today that actually importing the BGP routes to the kernel and disabling the

set bgp default-route-gateway XXX.YYY.ZZ7.249 

 setting makes it so the Active firewall actually uses the BGP learned default, and then passes it over tot he standby correctly.

All is now well in the world!

the_rock
Legend
Legend
‎2023-10-13 09:57 AM
In response to MattElkington
Jump to solution

Happy its working! 👍

0 Kudos
the_rock
Legend
Legend
‎2023-10-11 04:41 PM
Jump to solution

Since Chris asked about version/jumbo, our customer is on R81.20 jumbo 24. Only reason why we did not go to recommended jumbo was actually BGP issue another customer posted about in a different post.

Andy

0 Kudos
Alex-
Leader Leader
Leader
‎2023-10-12 02:29 AM
Jump to solution

Static routes are not always preferred but depend of Rank. Static routes have a rank of 60 and BGP a rank of 170, so to add a floating route you need to configure one with a rank of a higher numerical value than 170.

Regarding your issue, routes should normally be synced between the two cluster members assuming they have the same configurations but you might be getting your default route from somewhere else when the cluster isn't active for some reason, or they might not be installed because of a configuration issue.

Ensure you have the same router-id and BGP configuration on both members and check the router-options as well.

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events