Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SPM
Contributor

R80.30 routing issue with ospf and VPN

I have a deployment with two Sites, at each sites there is a checkpoint CP1 and CP2, which are connected by Site-to-Site VPN (Routed VPN, numbered vti).

Here is a simplified description:

Subnet1, Subnet2 <----> Switch1 <--ospf--> CP1 <------- Routed VPN, ospf -----> CP2 <--ospf--> Switch2 <---> Subnet3, Subnet4

 

CP1 have LAN address 192.168.1.1 (subnet1), CP2 have LAN address 172.16.1.1 (Subnet3)

All Subnets are in different VLANs and routable on switches.  There are corresponding vlan interfaces with .254 address on switches

 

This setup was working fine on R77.30.

But on R80.30 I have some weird routing issue.

 

I cannot access CP1 LAN address 192.168.1.1 from Subnet2 (192.168.2.0/24)

On CP1 I have static route to 192.168.2.0/24 subnet with lower rank then OSPF route to the same subnet

I verified that static route is Active, not OSPF

All firewall rules are in place. The issue not in that. I see that traffic is not blocked.

Investigating I found out following

 

  • If there is no tunnel between CP1 and CP2, and ospf between Switch1 and CP1 enabled, then no issue, I can access CP1 from Subnet2
  • If the tunnel between CP1 and CP2 working, but ospf between CP1 and Switch1 disabled, then there is also no issue
  • So as long as ospf between Switch1 and CP1 enabled, and VPN between CP1 and CP2 up I have that issue.
  • Disabling/Enabling ospf in VPN between CP1 and CP2 have no effect

 

I don’t understand how that is happening and why.

 

Investigating further, I stumbled on this:

CP1 have interfaces

eth0 – LAN (192.168.1.1)

eth2 – Internet

 

In both cases (when the issue exists and when not) commands

>Show route

#routed –n

ip route    

Shows correct routing table, thru correct interfaces (eth0) to Subnet2 (192.168.2.0/24) destination

 

>show route

S               192.168.2.0/24    via 192.168.1.254, eth0, cost 0, age 48031

 

#route -n

192.168.2.0   192.168.1.254 255.255.255.0   UG    0      0        0 eth0

 

#ip route

192.168.2.0/24 via 192.168.1.254 dev eth0 proto 7

 

But command   #ip route get 192.168.2.0/24 shows when no issue

192.168.2.0 via 192.168.1.254 dev eth0 src 192.168.1.1

 

And when routing issue

192.168.2.0 via 192.168.1.254 dev eth2 src 192.168.1.1

 

So basically it is showing that it will be sending packets thru eth2 not eth0.

Why ??  from where the hell it comes from

the only route that is should be thru eth2 is static default route to ISP gateway

 

 

To get more confused when issue exists I can easily access Internet resources from Subnet2,

And I can connect by VPN to CP1 (I have it configured)  and access computers in Subnet2

So this routing issue only affects packets that is coming from CP1 itself and does not affect packets that is just passing thru

 

If look at CP2 from Subnet4  the issue is the same

 

Any ideas what is going on.  

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion

Keep in mind that the VPN domain overrides the routing table, so be sure to set those correct for each FW.
It really sounds like you have network 192.168.2.* in the remote VPN domain.
Regards, Maarten
0 Kudos
SPM
Contributor

I have a Routed VPN, not Domain based VPN. So VPN Domain just an empty group.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events