This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
an_technical
Explorer
a week ago

Route Propagation not working in virtual system

Hi All,

 

I have a setup with two virtual systems and internal and external virtual-switch

My two vsys has dedicated interface.

VSYS-1 

Eth-6 -> 192.168.2.12/24

VSYS-2

Eth-7 - 192.168.3.12/24

I have enabled route propagation on both interfaces and these two vsys has connectivity with both internal and external vswitch.

But I am not able to see propagated routes in both vsys.

I am using R80.40 at the moment.

Please assist where the problem can be.

Thank You

 

 

Preview file
10 KB
0 Kudos
12 Replies
Chris_Atkinson
Employee Employee
Employee
a week ago

Which JHF take is installed on the system?

Are all routes you expect to be propagated not present or just some specific ones?

Refer also: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_VSX_AdminGuide/Content/Topic...

( Please note R80.40 is EOL and you should consider upgrading in the near term ).

CCSM R77/R80/ELITE
0 Kudos
an_technical
Explorer
a week ago
In response to Chris_Atkinson

I have 211 hotfix installed on both management and VSX gateway.

I attached the screenshot of topology of both VSX.

I don't see 192.168.2.0/24 and 192.168.3.0/24 in both VSX routing table

Preview file
38 KB
Preview file
38 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
a week ago
In response to an_technical

Has each gateway had its policy installed recently, how long has each been up?

Can we please also see the following output from each VS.... the topology seems not correct.

netstat -rn

ip route get x.y.z.0

CCSM R77/R80/ELITE
0 Kudos
Wolfgang
Authority
Authority
Sunday
In response to an_technical

@an_technical  I believe your topology is a little bit wrong. You have a layer 2 connect between both VS via 2 virtual switches. That‘s ok, but all attached interfaces are on different IP subnets, so no routing is possible between VS1 and VS2 and vice versa. And additional you have always two connects between both VSs, this must be observed with priorities.

I believe you‘re talking only about route propagation via the route configuration settings in the VS object not any other dynamic routing protocol like OSPF or BGP …?

(1)
the_rock
Legend
Legend
Sunday
In response to Wolfgang

Im not vsx guru by any means, but purely from routing perspective, makes total sense.

Andy

0 Kudos
an_technical
Explorer
Sunday
In response to Wolfgang

Thanks @Wolfgang : Yes you are right. I corrected the interface IP on wrp interface and I see route is propagated now. I am propagating the internal segment routes but these are propagated through external vswitch.

I am not able to find anything where we can propagate these through internal switch. Any suggestions pleas?

@Chris_Atkinson @the_rock 

0 Kudos
the_rock
Legend
Legend
Sunday
In response to an_technical

No option to do it via topology?

Andy

0 Kudos
an_technical
Explorer
Sunday
In response to the_rock

I can add manual static routes by disabling route propagation but we have large number of routes.

 

0 Kudos
Wolfgang
Authority
Authority
Monday
In response to an_technical

@an_technical you have a redundant connection between both VS, with VSX route propagation there is no way to differentiate an prioritize. You can remove one of the vswitches or you have to define the routes manually.

With vsx_provisioning_tool you can define a large range of routes via script.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Sunday
In response to an_technical

Note sure if it behaves differently in newer supported versions without testing, refer also:

https://community.checkpoint.com/t5/Security-Gateways/VSX-route-propagation-with-more-then-one-vSwit...

CCSM R77/R80/ELITE
0 Kudos
an_technical
Explorer
Monday
In response to Chris_Atkinson

Is there any known issue on R81.20 Version 631? 

0 Kudos
the_rock
Legend
Legend
a week ago

I agree with Chris 100%. You should upgrade to officially supported version, which is at least R81.10 at the moment, but I would recommend R81.20 if possible.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events