This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cezar_varlan1
Collaborator
‎2019-02-27 04:56 AM

Gaia Embedded Advanced Routing - BGP peering local-address issue

I have come across an odd bug and i am writing this in the hope others face the same issue. 

On Gaia embedded devices it looks like you cannot have two BGP peers with the same remote-AS and different local addresses as the local-address is configured per "remote-as" statement and not per "peer" statement.

I have done a few hours of troubleshooting to find out why my 790 connected to the same ISP via two different interfaces but with the same remote-AS was having one BGP session go Idle when adding the second BGP peer. 

It looks like when checking the config file  /etc/routed0.conf file on the gaia embedded expert mode you can see that both peers are grouped in the same peer-group even if there is no peer-group specifically configured based on the fact that they have the same remote-as. Because in my case the connections are made via different interfaces but with the same remote-as , the fact that the whole peer group is configured with the same "local address" makes the remote router on one of the connections refuse my session with a "wrong authentication" message.

If i issue a command set bgp remote-as "AS_NUM" local-address with the correct address the Idle connection becomes Established and the former established one goes Idle with the same error. 

Does anyone know of a fix for this or if this is a well known limitation?

I have opened a SR for this and i am currently waiting for feedback. 

Possible workarounds i have proposed:

1. Use "LAN Network Public IP" as local-address and ask the ISP to allow multi-hop BGP and create both sessions from the same LAN interface. This would work as the local-address is the same for both sessions.

2. Use a "Transitory Private AS" number and ask the ISP to change one of the peerings to use this AS instead of their real AS.

3. Use an external router for BGP peering, and use the Check Point just as a firewall.

4. Replace the Check Point with a Security Device that supports proper BGP implementation.

5. Wait for Check Point support to provide a hotfix (that would have to be updated for each new OS version from now on).

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-02-27 07:19 AM

Please change the place of this post to SMB and SMP - this is not a general question ! The only BGP limitation in sk105380 is that BGP MD5 is not supported - but SMBs are flash-based units with only a subset of GAiA features.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-03-01 01:27 AM

Did you receive any feedback from TAC yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
cezar_varlan1
Collaborator
‎2019-03-01 01:54 AM
In response to G_W_Albrecht

For now they have not confirmed or denied my assumptions but the engineer has noted that he has forwarded this to R&D and that has noticed my post here as well.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events