- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Harmony Mobile 4:
New Version, New Capabilities
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Team,
I am configuring dynamic routing with AWS and on-prem check point gws in R80.30 using vti tunnels. CP is in VRRP cluster mode
This is eBGP and both are having different AS numbers. Now surprising thing is ipsec with AWS is up but somehow BGP peers are not coming up and at check point it still shows idle state.
Can someone pls help?
So , while debugging BGP I found below messages
May 1 11:18:20.840573 bgp_ifaddr_change(7101): Checking if interface change affects any peers
May 1 11:18:20.840573 bgp_set_nexthop_addresses(9735): 169.254.189.45 [eBGP AS 64512] No IPv4 address found to connect
May 1 11:18:20.840573 bgp_set_peer_ifaps(5383): 169.254.189.45 [eBGP AS 64512] Setting local nexthop addresses failed
Now since this is a VRRP cluster do I need to VPNt cluster IP in mcvr or in vrrp as well?
Even I tried adding but I am getting below error
add mcvr vrid 10 backup-address 169.254.189.46
WARNING this may take a while; please be patient
NMSMVR0266 No interface with net address 169.254.189.46
Is the 169.254.189.45 BGP peer arrive through the IPSec tunnel ?
I would also look into VTI's in order to configure BGP over VPN , something like this
In order to create a VRRP IP , you would need to have interface(s) in that network.
Well yes!! It is arriving through tunnel and I am seeing decrypted in logs.
The setup is done exactly as said here.
And to my surprise and I am not sure if I need to add mcvr address in the configuration for VTI with BGP?
Honestly, I'm just taking a wild guess here, but i think you need to create a tunnel interface like below and maybe then try the mcvr ip address.
Well there must be a issue with VRRP solution for sure. I converted this cluster to Cluster XL and bgp peering happened immediately. That means in vrrp cluster mode firewall was not able to pick up the cluster ip however it did with cluster xl.
Again would really apperciate if someone can confirm if this is a known limitation or if I hit any bug here?
BGP over VTIs with VRRP is not supported. Just bumped into similar issue with one of my clients recently.
You'll have to switch to CLusterXL to get it going.
Also, in our case, we were not trying to establish tunnels with AWS, but with one of our peers, but another issue appeared to be that the use of arbitrary IPs on VTIs that are not adjacent (i.e. belong to a different network) did not work.
We've had to use IPs with identical first three octets, otherwise, tunnels would come up, but BGP peering would not.
From TAC:
"I spoke with our dynamic routing focal today and we got confirmation from R&D that VTIs and VRRP are not supported together because VRRP can't work with point to point interfaces. It seems that in order to get this configuration to work we would need to use clusterXL. We will make sure that we get the documentation updated to make this clear."
This is really surprising. There is no Sk neither any official limitation confirms that BGP does not support over VRRP.
Yeah, I've spent some significant time trying to make it work in the absence of relevant SK.
One was promised as a result of thie SR opened for the case, but since you still cannot find anything, it was not published yet.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY