This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanjay_S
Advisor
‎2021-07-13 11:46 PM
Jump to solution

BGP routes are not in the route table

Hi All,

I am facing issues with the bgp routes. I am able to see the imported routes with the show route all command but i am not able to see any of the routes in the route table(route -n). Could you please suggest me on this as soon as possible please.

Below is the config in place.

set as zzzzz
set router-id x.x.x.x

set bgp external remote-as xxxxx on
set bgp external remote-as xxxxx description Primary Peer
set bgp external remote-as xxxxx export-routemap "Inside_Routes" preference 1 on
set bgp external remote-as xxxxx import-routemap "MPLSRoutes-IN" preference 1 on
set bgp external remote-as xxxxx peer y.y.y.y on
set bgp external remote-as xxxxx peer y.y.y.y ping on
set bgp external remote-as xxxxx peer y.y.y.y export-routemap "Inside_Routes" preference 1 on
set bgp external remote-as xxxxx peer y.y.y.y import-routemap "MPLSRoutes-IN" preference 1 on
set bgp external remote-as xxxxy on
set bgp external remote-as xxxxy description SecondaryPeer
set bgp external remote-as xxxxy export-routemap "Inside_Routes" preference 2 on
set bgp external remote-as xxxxy import-routemap "MPLSRoutes-IN" preference 2 on
set bgp external remote-as xxxxy peer z.z.z.z on
set bgp external remote-as xxxxy peer z.z.z.z aspath-prepend-count 3
set bgp external remote-as xxxxy peer z.z.z.z ping on

set routemap MPLSRoutes-IN id 3 on
set routemap MPLSRoutes-IN id 3 allow
set routemap MPLSRoutes-IN id 3 match as xxxxx on
set routemap MPLSRoutes-IN id 3 match as xxxxy on
set routemap MPLSRoutes-IN id 3 match interface eth3 on
set routemap Inside_Routes id 4 on
set routemap Inside_Routes id 4 allow
set routemap Inside_Routes id 4 match as xxxxx on
set routemap Inside_Routes id 4 match as xxxxy on
set routemap Inside_Routes id 4 match network 10.10.10.10/32 exact
set routemap Inside_Routes id 4 match protocol static

1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2021-07-17 12:22 PM
Jump to solution

I had similar issue with one customer and the only way to fix it was rebooting the firewalls after extensive troubleshooting and debugs with TAC. Odd thing in that scenario was that even though BGP config was there, it was stating from clish and BGP was not running...very strange.

View solution in original post

0 Kudos
11 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-07-16 07:17 AM
Jump to solution

If the route is showing up in the configuration (show route all) but not showing up in the live routing table, usually that means that the advertised nexthop gateway is not directly reachable through any of the firewall's interfaces.  This exact scenario (which can certainly be confusing) was covered in my Gaia 3.10 Immersion course, here are the relevant pages:

GaiaRoute1.jpg

 

GaiaRoute2.jpg

It is also possible that your have a problem with your defined routemap and the learned routes are being "hidden" as a result, see here: sk87420: BGP routes are not shown in the output of 'show route' command, but are shown as 'hidden' i...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Sanjay_S
Advisor
‎2021-07-20 01:54 AM
In response to Timothy_Hall
Jump to solution

Thank you Timothy for the clear explanation on this. I can confirm the next hop if part of the subnet configured on one of the interfaces. Also verified the route map configuration on sk87420 still the issue doesn't seem to be resolved. Raised with TAC and waiting for the update. 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2021-07-17 12:22 PM
Jump to solution

I had similar issue with one customer and the only way to fix it was rebooting the firewalls after extensive troubleshooting and debugs with TAC. Odd thing in that scenario was that even though BGP config was there, it was stating from clish and BGP was not running...very strange.

0 Kudos
Sanjay_S
Advisor
‎2021-07-23 04:58 AM
In response to the_rock
Jump to solution

Even Checkpoint suggesting to restart the route daemon as you suggested the_rock :). I have requested customer a window to perform this. Will let the chain knows the outcome. In the meanwhile could you please suggest on what i need to do if i need to advertise the default route to the peer based on t he above config shared?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2021-07-23 05:05 AM
In response to Sanjay_S
Jump to solution

I hate to tell you this, but I dont think restarting the routing deamon will do anything here...reboot might be needed.

0 Kudos
Sanjay_S
Advisor
‎2021-07-26 12:28 AM
In response to the_rock
Jump to solution

Sure Rock will any install the latest hotfix so it will be rebooted. Will check the outcome and update this chain.

0 Kudos
Sanjay_S
Advisor
‎2021-07-26 03:42 AM
In response to Sanjay_S
Jump to solution

Hi All,

I do not see anything mentioned in the dynamic routing configuration for advertising the default route to the peer. Could you please suggest me on that. I went through the below community page but here it is mentioned that R80 doesn't support the 0.0.0.0/0 syntax.

https://community.checkpoint.com/t5/Security-Gateways/Gaia-R80-10-BGP-default-route/td-p/52156

0 Kudos
Sanjay_S
Advisor
‎2021-07-28 08:43 AM
In response to Sanjay_S
Jump to solution

Any suggestions on this please?

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2021-09-13 03:46 AM
In response to Sanjay_S
Jump to solution

Redistributing from static or another protocol with appropriate filter list should work just fine or are you looking for something else?

CCSM R77/R80/ELITE
0 Kudos
Sanjay_S
Advisor
‎2021-09-15 05:06 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

Rebooting the firewall fixed the issue:)

Thanks for all your support.

the_rock
MVP Gold
MVP Gold
‎2021-09-15 05:10 AM
In response to Sanjay_S
Jump to solution

Personally, what I always do is first look at /var/log/routed.log file on the firewall. If you see inconsistent messages there, thats your best clue that reboot is needed if restarting the routing daemon fails.

 

Cheers,

 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events