This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
T_Sonnberger
Contributor
‎2023-03-08 05:08 AM

Enable OSPF Graceful-Restart on Maestro Security Group (R81.10)

Dear Checkmates,

We have realized, that we obviously lose all sessions, when we add a new interface to our security group and add it into ospf.

set ospf instance default interface bond1.2742 passive on
set ospf instance default interface bond1.2762 area 0.0.0.10 on

Thus I would like to enable OSPF graceful-restart on our securitygroup.

(Although in some comment of C_Atkinson here on the forum it is mentioned, that graceful-restart should not be required, although it refers to Cluster XL?

https://community.checkpoint.com/t5/Security-Gateways/OSPF-drops-on-cluster-failover-since-R81-10-up... 

)

 

 

 

Is there anything I need to consider? We peer with Cisco Switches and I stumbled across:

"graceful-restart feature is an industry standard and Maestro supports it for both OSPF and BGP. That way you don't lose routes. graceful-restart must be supported by the peer and timers need to be in sync. The routes will stay while peering is built up after failover."

Can I assume this matches, since OSPF and graceful-restart helper already work?

Also I saw the following in the GUI:

"OSPF Graceful Restart is incompatible with VRRP preempt" mode. Please disable preempt mode before configuring graceful restart"

Since this is no VRRP Cluster and we already have graceful-restart-helper enabled, I think I can ignore this warning?

 

Do you think it is safe to issue:

set ospf instance default graceful-restart on  ?

 

Thanks in advance and BR,

Thomas

 

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-08 05:30 AM

Which Jumbo take is deployed in the environment?

Graceful restart is typically relevant to failover scenarios as different to the symptoms you've described.

Do you see the SMO / DR role change to a different SGM during this process?

CCSM R77/R80/ELITE
0 Kudos
T_Sonnberger
Contributor
‎2023-03-08 05:40 AM
In response to Chris_Atkinson

Hi Chris, thanks for the quick response:

We run:

HOTFIX_R81_10_JUMBO_HF_MAIN Take: 66

How could I see if the SM0 role changes?

 

We were made aware of this through a team, which mentioned, that they have lost twice all sessions on their machines, and the timestamps matched exactly with the creation of some interfaces and adding them to OSPF.

I also could see, that our loadbalancer lost all connections to servers, sitting behind the firewall, at the same time

 

The /var/log/meassges looked like:
Feb 20 14:46:37 2023 security-group-ch01-01 clish[75447]: cmd by admin: Start executing : set ospf ... (cmd md5: 618860da39c8d871aec65ec33b6ebc30)
Feb 20 14:46:37 2023 security-group-ch01-01 clish[75447]: cmd by admin: Processing : set ospf instance default interface bond1.2204 area 0.0.0.10 on (cmd md5: 618860da39c8d871aec65ec33b6ebc30)
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: NETIS Message:vsxnet_send_rtnetlink_getlink_query failed to resolve if_type_str for magg0
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: NETIS Message:vsxnet_bond_status vsxnet_send_rtnetlink_getlink_query failed for magg0
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: instance name is [default]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Configuration changed from localhost by user admin
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed conf file is [/etc/routed0.conf]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed instance is [default]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: moving /etc/cprd_syntax_test_default to /etc/routed0.conf
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Using routed pid 68213 for 'default'
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure re-initializing from /etc/routed.conf
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: parse_instance_only: my_instance_id -1 parsing instance default
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure reinitializing done
Feb 20 14:46:38 2023 security-group-ch01-01 clish[75447]: cmd by admin: Start executing : set ospf ... (cmd md5: f890304ce4e765ac409944891568858a)
Feb 20 14:46:38 2023 security-group-ch01-01 clish[75447]: cmd by admin: Processing : set ospf instance default interface bond1.2204 passive on (cmd md5: f890304ce4e765ac409944891568858a)
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: instance name is [default]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Configuration changed from localhost by user admin
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed conf file is [/etc/routed0.conf]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: finalize: routed instance is [default]
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: moving /etc/cprd_syntax_test_default to /etc/routed0.conf
Feb 20 14:46:38 2023 security-group-ch01-01 xpand[61248]: Using routed pid 68213 for 'default'
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure re-initializing from /etc/routed.conf
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: parse_instance_only: my_instance_id -1 parsing instance default
Feb 20 14:46:38 2023 security-group-ch01-01 routed[68188]: [routed] NOTICE: task_reconfigure reinitializing done

Thanks in advance and BR,

Thomas

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-08 05:56 AM
In response to T_Sonnberger

To see the current SMO & DR manager (Dynamic routing manager) review the following command output from expert mode:

asg stat -i tasks 

CCSM R77/R80/ELITE
0 Kudos
T_Sonnberger
Contributor
‎2023-03-08 06:00 AM
In response to Chris_Atkinson

Thank you:

This is the output - it seems it remained on 1 (though I can't prove that it has been 2 before)

Chassis 1:
[Expert@security-group-ch01-01:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID) | Chassis 1 |
--------------------------------------------------------------------------------
| SMO (0) | 1(local) |
| General (1) | 1(local) |
| LACP (2) | 1(local) |
| CH Monitor (3) | 1(local) |
| DR Manager (4) | 1(local) |
| UIPC (5) | 1(local) |
| Alert (6) | 1(local) |
--------------------------------------------------------------------------------

Chassis 2:

[Expert@vsecurity-group-01-ch01-02:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID) | Chassis 1 |
--------------------------------------------------------------------------------
| SMO (0) | 1 |
| General (1) | 1 |
| LACP (2) | 1 |
| CH Monitor (3) | 1 |
| DR Manager (4) | 1 |
| UIPC (5) | 1 |
| Alert (6) | 1 |
--------------------------------------------------------------------------------

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events