Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.30 routing issue with ospf and VPN

I have a deployment with two Sites, at each sites there is a checkpoint CP1 and CP2, which are connected by Site-to-Site VPN (Routed VPN, numbered vti).

Here is a simplified description:

Subnet1, Subnet2 <----> Switch1 <--ospf--> CP1 <------- Routed VPN, ospf -----> CP2 <--ospf--> Switch2 <---> Subnet3, Subnet4


CP1 have LAN address (subnet1), CP2 have LAN address (Subnet3)

All Subnets are in different VLANs and routable on switches.  There are corresponding vlan interfaces with .254 address on switches


This setup was working fine on R77.30.

But on R80.30 I have some weird routing issue.


I cannot access CP1 LAN address from Subnet2 (

On CP1 I have static route to subnet with lower rank then OSPF route to the same subnet

I verified that static route is Active, not OSPF

All firewall rules are in place. The issue not in that. I see that traffic is not blocked.

Investigating I found out following


  • If there is no tunnel between CP1 and CP2, and ospf between Switch1 and CP1 enabled, then no issue, I can access CP1 from Subnet2
  • If the tunnel between CP1 and CP2 working, but ospf between CP1 and Switch1 disabled, then there is also no issue
  • So as long as ospf between Switch1 and CP1 enabled, and VPN between CP1 and CP2 up I have that issue.
  • Disabling/Enabling ospf in VPN between CP1 and CP2 have no effect


I don’t understand how that is happening and why.


Investigating further, I stumbled on this:

CP1 have interfaces

eth0 – LAN (

eth2 – Internet


In both cases (when the issue exists and when not) commands

>Show route

#routed –n

ip route    

Shows correct routing table, thru correct interfaces (eth0) to Subnet2 ( destination


>show route

S         via, eth0, cost 0, age 48031


#route -n   UG    0      0        0 eth0


#ip route via dev eth0 proto 7


But command   #ip route get shows when no issue via dev eth0 src


And when routing issue via dev eth2 src


So basically it is showing that it will be sending packets thru eth2 not eth0.

Why ??  from where the hell it comes from

the only route that is should be thru eth2 is static default route to ISP gateway



To get more confused when issue exists I can easily access Internet resources from Subnet2,

And I can connect by VPN to CP1 (I have it configured)  and access computers in Subnet2

So this routing issue only affects packets that is coming from CP1 itself and does not affect packets that is just passing thru


If look at CP2 from Subnet4  the issue is the same


Any ideas what is going on.  

0 Kudos
2 Replies

Keep in mind that the VPN domain overrides the routing table, so be sure to set those correct for each FW.
It really sounds like you have network 192.168.2.* in the remote VPN domain.
Regards, Maarten
0 Kudos

I have a Routed VPN, not Domain based VPN. So VPN Domain just an empty group.

0 Kudos