This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2022-09-15 11:31 AM
Jump to solution

My BGP routes are showing as Hidden and Inactive

Hi Team,

I am facing this one more issue with BGP and route from other path is being received as Hidden and Inactive. I have scenario as depict in diagram. I am currently receiving route from Provider 1 which is fine. However route received from Provider 2 is showing as Hidden and Inactive on my firewall routing table.

I am at FW1 with version R80.30 with AS 64520 with network 172.31.24.0/24 while other peer is 64520 as well with network 10.100.0.0/16. However we are connected with two providers and route learned from provider-2 is getting as Hidden and Inactive from FW1 perspective.

Can someone please help?

 

set bgp external remote-as 9730 on
set bgp external remote-as 9730 peer xx.xx.xx.xx on
set bgp external remote-as 9730 peer xx.xx.xx.xx holdtime 15
set bgp external remote-as 9730 peer xx.xx.xx.xx keepalive 5
set bgp external remote-as 65001 on
set bgp external remote-as 65001 peer yy.yy.yy.yy on
set bgp external remote-as 65001 peer yy.yy.yy.yy as-override on

 

Here is my route table at FW1

 

#show route bgp

B               10.100.0.0/16       via xx.xx.xx.xx, eth1, cost None, age 913492

 

And here is the issue

 

B               10.100.0.0/16       via xx.xx.xx.xx, eth1, cost None, age 913540
B          H i  10.100.0.0/16       is an unusable route

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
67 KB
0 Kudos
1 Solution

Accepted Solutions
Blason_R
MVP Gold
MVP Gold
‎2022-09-15 08:37 PM
In response to Chris_Atkinson
Jump to solution

I guess this need allow-as. This resolved the issue

set bgp  external remote-as 65001 peer yy.yy.yy.yy allowas-in-count 2
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-15 06:45 PM
Jump to solution

Do you have route filters or route-maps configured accepting the routes and how do the as-paths compare?

CCSM R77/R80/ELITE
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-09-15 07:55 PM
In response to Chris_Atkinson
Jump to solution

Yes - default route filters configure and no such mechanism for as-path comparison

set inbound-route-filter bgp-policy 512 based-on-as as 9730 on
set inbound-route-filter bgp-policy 512 accept-all-ipv4
set inbound-route-filter bgp-policy 516 based-on-as as 65001 on
set inbound-route-filter bgp-policy 516 accept-all-ipv4

set route-redistribution to bgp-as 9730 from static-route 172.16.0.0/12 on
set route-redistribution to bgp-as 9730 from static-route 192.168.0.0/16 on
set route-redistribution to bgp-as 65001 from static-route 172.16.0.0/12 on
set route-redistribution to bgp-as 65001 from static-route 192.168.0.0/16 on
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-09-15 08:06 PM
In response to Blason_R
Jump to solution

Do I need to use

allowas-in Accept a IPv4-route that contains the local-AS in the as-path

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-15 08:15 PM
In response to Blason_R
Jump to solution

What do you see with: "show route bgp aspath" ?

Please also review the following:

sk173204: Received BGP routes appear as unusable, hidden and inactive

CCSM R77/R80/ELITE
Blason_R
MVP Gold
MVP Gold
‎2022-09-15 08:37 PM
In response to Chris_Atkinson
Jump to solution

I guess this need allow-as. This resolved the issue

set bgp  external remote-as 65001 peer yy.yy.yy.yy allowas-in-count 2
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events