This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Daniel_3
Contributor
‎2023-11-21 01:36 AM

Maestro BGP routes delayed until first keepalive

Hello,

 

we are bulding a new Maestro environment currently and stumbled upon the following issue:

We are using dynamic routing with BGP. Each route has two next-hops, Router 1 (primary) and Router 2 (backup).

When we failover the BGP sessions from router 1 to router 2 (by manually taking down the BGP session to router 1) everything works fine. But when we want to go back to router 1, there are no routes on the firewall for the first 30 seconds after the BGP sessions becomes established (30 seconds is our configured timer for keepalive messages).

On the router (Juniper OS) we see the outgoing route-update immediately after session establishment and we also see these packets in tcpdump on the firewall. But the firewall just seems to completely ignore this first update. Only after the router sends its first keepalive the firewall suddenly also gets the advertised routes from the router.

 

We noticed this issue with our first security group (sg-1) with version R81.10 JHF Take 94 but I also did some tests with a new security group (sg-2) on version R81.20 JHF Take 26 and the behavior is the same.

Both security groups consist of two 6900 plus appliances and are configured as VSX.

 

Did anybody else notice this behavior in their environment?

I also attached information about our systems and the BGP configuration.

Preview file
8 KB
Preview file
7 KB
0 Kudos
2 Replies
vinceneil666-2
Explorer
‎2023-11-21 03:13 AM

Did you do debugging on BGP on the check point end ? Its probably not 'it' - but I do remember some BGP options not beeing supported by Check Point relating to Cisco.  I have no idea about Juniper.

Juniper might have a lookalike command where you can see capabilities of the check point. And bgp debug on check point migjt give you an idea it there are traffic going on reltated to unsupported features comming from juniper. (just a shot in the dark)

0 Kudos
Daniel_3
Contributor
‎2024-02-07 12:14 AM
In response to vinceneil666-2

Hi,
sorry for the late response. Yes, we did a lot of debugging together with Check Point and Juniper support. After two months of troubleshooting we got a custom hotfix from Check Point which solved the issue.

Now the the routes are being accepted in the routing table and also advertised to other peers after two seconds.

I asked what exactly the hotfix does, but did not get much information other than "it fixes the issue".

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events