Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
degrotef
Contributor

PBR allegedly unsupported when core features are enabled

Hello,

I am facing serious problems in my 5600 two node cluster running R80.30. PBR ist active since we installed them 2 years ago running fine.

Over the last months every change in Gaia on routing, ospf or similar is followd by a pnote event causing the cluster to switch over. Doing the chnages on the other node causes the same vice versa. Also doing changes on the passive node creates pnote event. We checked config several times for inequality, but its fine. So this was the time to inolve TAC and my service partner created a support ticket.

Now Checkpoint points to SK100500, where several features/blades are mentioned to be incompatible with PBR, e.g. URL Filtering, IPS and VPN Features and refuses any further investigations on the case.

Here is a discussion on thes limitation, questioning the real meaning of limitation and aksing for a Checkpoint Official to comment on it, but theres no answering.I can not believe that such core features like IPS is not compatible with PBR and would like to have this analyzed and commented.

Its like a car manufacturer saying that driving a right turn is not supported if there are more than 2 persons in the car...

I have severe problems and curently no chance to get further support from Checkpoint

In this thread the members @Peter_Lyndley and @FedericoMeiners have similar problems and doubts about this limitation. 

Thanks for any contribution

Frank

 

5 Replies
FedericoMeiners
Advisor

Hello,
I have my doubts that PBR is causing this issue.
I had experienced similar issues as yours in the past. The root cause was due to a routed demon crash generated by OSPF changes which caused this pnote.

It would collect crash logs on usermode or crash directories, also check messsages and routed log at the time of the event. The TAC will probably ask for this and you may find some interesting leads 🙂
____________
https://www.linkedin.com/in/federicomeiners/
PhoneBoy
Admin
Admin

I'll have R&D double-check these limitations.
A few of them make sense, IPS and URLF don't necessarily.
0 Kudos
Reply
degrotef
Contributor

Hi PhoneBoy,

did you get any furter information on these limitations? There is a new sk167135, but limitation are the same.... very annoying...

0 Kudos
Reply
PhoneBoy
Admin
Admin

URLF is definitely a limitation, IPS doesn't work with certain protections as I recall.

0 Kudos
Reply
John_Fleming
Advisor

This does indeed sound like routed is crashing, which is what needs to be looked at. For sure engage support about the pnote. I'm gussing you have core files in /var/log/dump/usermode. Also you can enable tracing on routed which will create a log file /var/log/routed.log.

trace ospf all on

trace kernel all on

trace global all on

something like that. Use off to disable. Once tracing is enabled (do on both members btw) and the cluster is active/standby make a change known to cause the problem then check those files on both members.

0 Kudos
Reply