This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2021-04-30 10:35 PM

BGP peering is not coming up - Please help

Hi Team,

I am configuring dynamic routing with AWS and on-prem check point gws in R80.30 using vti tunnels. CP is in VRRP cluster mode

This is eBGP and both are having different AS numbers. Now surprising thing is ipsec with AWS is up but somehow BGP peers are not coming up and at check point it still shows idle state.

  1. I have proper policy configured to allow port 179 and can see packets coming in from AWS side
  2. wanted to know if there is any way to capture the packets for port 179 so that I can see the udpates on Check Point firewall
  3. What are other possibilities behind BGP not coming up?
  4. If I see using netstat and port 179 is listening but tcpdump -nni any port 179 is not showing any packets.

 

Can someone pls help?

0 Kudos
8 Replies
Blason_R
Leader
Leader
‎2021-04-30 11:07 PM

So , while debugging BGP I found below messages

May 1 11:18:20.840573 bgp_ifaddr_change(7101): Checking if interface change affects any peers
May 1 11:18:20.840573 bgp_set_nexthop_addresses(9735): 169.254.189.45 [eBGP AS 64512] No IPv4 address found to connect
May 1 11:18:20.840573 bgp_set_peer_ifaps(5383): 169.254.189.45 [eBGP AS 64512] Setting local nexthop addresses failed

Now since this is a VRRP cluster do I need to VPNt cluster IP in mcvr or in vrrp as well? 

Even I tried adding but I am getting below error

add mcvr vrid 10 backup-address 169.254.189.46
WARNING this may take a while; please be patient
NMSMVR0266 No interface with net address 169.254.189.46

 

0 Kudos
funkylicious
Advisor
‎2021-05-02 12:18 AM
In response to Blason_R

Is the 169.254.189.45 BGP peer arrive through the IPSec tunnel ?

I would also look into VTI's in order to configure BGP over VPN , something like this 

 

In order to create a VRRP IP , you would need to have interface(s) in that network.

0 Kudos
Blason_R
Leader
Leader
‎2021-05-02 06:44 AM
In response to funkylicious

Well yes!! It is arriving through tunnel and I am seeing decrypted in logs.

The setup is done exactly as said here.

And to my surprise and I am not sure if I need to add mcvr address in the configuration for VTI with BGP?

0 Kudos
funkylicious
Advisor
‎2021-05-02 08:57 AM
In response to Blason_R

Honestly, I'm just taking a wild guess here, but i think you need to create a tunnel interface like below and maybe then try the mcvr ip address.

Screenshot 2021-05-02 at 18.53.25.png

0 Kudos
Blason_R
Leader
Leader
‎2021-05-06 01:03 AM
In response to funkylicious

Well there must be a issue with VRRP solution for sure. I converted this cluster to Cluster XL and bgp peering happened immediately. That means in vrrp cluster mode firewall was not able to pick up the cluster ip however it did with cluster xl. 

 

Again would really apperciate if someone can confirm if this is a known limitation or if I hit any bug here?

0 Kudos
Vladimir
Champion
Champion
‎2021-05-06 05:56 AM

BGP over VTIs with VRRP is not supported. Just bumped into similar issue with one of my clients recently.

You'll have to switch to CLusterXL to get it going.

Also, in our case, we were not trying to establish tunnels with AWS, but with one of our peers, but another issue appeared to be that the use of arbitrary IPs on VTIs that are not adjacent (i.e. belong to a different network) did not work.

We've had to use IPs with identical first three octets, otherwise, tunnels would come up, but BGP peering would not.

From TAC:

"I spoke with our dynamic routing focal today and we got confirmation from R&D that VTIs and VRRP are not supported together because VRRP can't work with point to point interfaces. It seems that in order to get this configuration to work we would need to use clusterXL. We will make sure that we get the documentation updated to make this clear."

0 Kudos
Blason_R
Leader
Leader
‎2021-05-06 06:40 AM
In response to Vladimir

This is really surprising. There is no Sk neither any official limitation confirms that BGP does not support over VRRP.

0 Kudos
Vladimir
Champion
Champion
‎2021-05-06 07:08 AM
In response to Blason_R

Yeah, I've spent some significant time trying to make it work in the absence of relevant SK.

One was promised as a result of thie SR opened for the case, but since you still cannot find anything, it was not published yet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫