This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
motiami
Contributor
‎2019-11-04 05:54 AM

ECMP with OSPF - how the gateway determines the next-hop

Hello,

We have a setup where a ClusterXL is connected to two ASR routers and OSPF is running.

The ASRs advertise to the cluster default route and the cluster installs these default routes in it's routing table so it has two equal-cost default routes to two different next hops.

The ASRs are used as our internet routers and they perform hide NAT when accessing the internet.

We are now facing an issue where one TCP session is routed towards router 1, gets NATed using that router's hide NAT pool, and at a certain time the CP gateway might choose the 2nd router for the same flow and then it gets a different hide NAT IP and hence the session is being terminated.

Is it possible to set the CheckPoint to maintain the same session to be routed to the same router? how does the CheckPoint determine which default route to use? 

I am reading this article and it says:

(4) Limitations

  • "Round robin" next hop algorithm is not supported.

  • "Source hash" next hop algorithm is not supported.

  • "Destination hash" next hop algorithm is not supported.

  • ECMP over OSPF supports up to 8 simultaneous routes.

So, what is then the algorithm that the CheckPoint uses in order to determine the next hop?

0 Kudos
3 Replies
Alex_Ambrose
Employee Alumnus
Employee Alumnus
‎2019-11-07 12:47 PM

Hi,

 

From sk100502:

Nexthops are selected based on weighted fair queuing. Once the next hop is selected it stays the same as long as entry is in the route cache. Once the entry is deleted from route cache nexthop can change when queried for destination next time.

 

The route cache mentioned above is a Linux concept and is managed by the kernel. There are some sysctl parameters that tune the behavior of the cache, but changing these is done at your own risk.

0 Kudos
motiami
Contributor
‎2019-11-07 09:50 PM
In response to Alex_Ambrose

Alex, thanks for your reply.

The gateway is getting two default routes with equal cost, so once the gateway choose a specific default route to use for a certain session, how come that in the middle of the session it decide to choose the 2nd default route? The session has not ended..

0 Kudos
Alex_Ambrose
Employee Alumnus
Employee Alumnus
‎2019-11-08 11:50 AM
In response to motiami

I'm not an expert with how this particular algorithm is run in the Linux kernel, so this is just speculation.

As far as I can tell, the Linux kernel is not connection-aware when determining these nexthops - it goes purely off the routing cache entries. If the entry corresponding to the connection is garbage collected and has to be re-created, it could change the nexthop mid-session. This could especially be the case if there's a lull in the traffic for a particular session and a large quantity of new cache entries being created at the same time. The cache entry for that session would be considered stale and garbage collected automatically to make room for the new entries.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events