This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shopworld
Participant
‎2024-07-31 05:19 PM

OSPF doesnt start after upgrade to R81.20

Hi,

We have a R81.10 cluster that we were trying to upgrade to R81.20 but it failed as it caused a partial outage. After some investigation it appears to be ClusterXL/OSPF related.

Please see sequence of events below

* The secondary firewall was upgraded to R81.20 first and we lost connection to the box as my management connection also goes through OSPF. cphaprob on the active one was ACTIVE/LOST
* Changed the version to R81.20 in Smart console and pushed the policy to the newly upgraded secondary without any issues.
* TAC suggested to upgrade to primary so the cluster can be established and we can troubleshoot further.
* At this point outage starts with all ospf interfaces not able to connect. On the peer routers the state is INIT. Traffic is now passing through secondary.
* Both firewalls are upgraded and I can now connect to both of them, however all the traffic dependent on ospf are still down.
* At this stage I am asked to rollback the change since I had already gone over the outage window.
* I start downgrade on the primary which is not passing traffic and immediately lose connection as the upgrade starts.
* Install policy works on the primary node after I change the version number on Smart console.
* I downgrade the secondary as well, and everything comes back as it was. Connectivity was restored.

At the time I didn't know it was an OSPF issue but I investigated the routed logs the next day and saw lots of OSPF error messages which indicate the ospf instance did not start.

Jul 29 20:17:07.194789 [routed] ERROR: cpcl_cxl_master_id(1026): Failed to get cluster master information
Jul 29 20:17:07.194789 [routed] ERROR: api_get_member_info(485): failed to get member info selector = 0x81602ad, data = (nil)
Jul 29 20:17:07.194789 [routed] ERROR: cpcl_cxl_master_id(1026): Failed to get cluster master information
Jul 29 20:17:07.194789 [routed] ERROR: cpcl_cxl_master_sync_ip(1070): failed to get master id
Jul 29 20:17:07.194789 [routed] ERROR: api_get_member_info(485): failed to get member info selector = 0x81602ad, data = (nil)
Jul 29 20:17:07.194789 [routed] ERROR: cpcl_cxl_master_id(1026): Failed to get cluster master information
Jul 29 20:17:07.194789 [routed] ERROR: cpcl_cxl_master_sync_ip(1070): failed to get master id
Jul 29 20:17:09.241050 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.169.250.11(bond1.11)
Jul 29 20:17:09.241712 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.169.250.41(bond1.12)
Jul 29 20:17:09.242370 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.11(bond1.13)
Jul 29 20:17:09.243022 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.41(bond1.14)
Jul 29 20:17:09.243660 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.76(bond1.15)
Jul 29 20:17:09.244312 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.106(bond1.16)
Jul 29 20:17:09.244983 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.141(bond1.17)
Jul 29 20:17:09.245623 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.162(bond1.21)
Jul 29 20:17:09.246281 [routed] ERROR: OSPF2 instance default OspfInterfaceUp(4655): not starting protocol on interface 10.170.250.194(bond1.22)

 

I went through the OSPF configs and router id is the cluster IP on both. Nothing is out of the ordinary. Appreciate any insights you might have on this issue. Apologies for the long description and thank you for your time.

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-07-31 05:27 PM

I helped lots of people with this sort of upgrade on either ospf/bgp, never had a problem. Maybe related to below?

Andy

https://community.checkpoint.com/t5/Security-Gateways/OSPF-on-NSX/td-p/192098

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-07-31 05:44 PM

Which Jumbo take and how many interfaces are running OSPF on this gateway, fewer than 128?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2024-07-31 05:50 PM

I think your best bet at this point is to open TAC case and provide those logs, see what they say.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events