This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2023-10-15 08:55 AM

No OSPF routes for newly added vlan interface

Hey guys,

I hope someone can confirm something for me. We have a customer that added new interface in ospf config (via web UI), as per screenshot I posted, but for some reason, we dont see any routes going through it. Now, first interface listed is physical and that works fine, but 2nd one is vlan and that does NOT work. T3 from TAC support said vlan should be fine and I cant see anywhere in the documentation that it would not be supported either.

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_Advanced_Routing_AdminG...

 

Now, if customer replaces vlan interface with regular one, works fine. Any clue if this is indeed supported and if so, what could we be missing?

Thanks as always 

Andy

Its cluster, R81.10 take 81

 

Screenshot_1.png

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2023-10-16 10:55 AM

You're using the physical interface (as in it has an IP address/netmask) AND a VLAN actively, correct?
That might be causing an issue.

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 10:59 AM
In response to PhoneBoy

I will double check with the customer, but Im 99% sure that to be the case, yes.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 12:06 PM
In response to PhoneBoy

Any way to make this work then? Also, TAC told us that we need to adjust routemaps to reflect routes that show as hidden...

Exact response:

Hello Andy,To answer your question, we were able to see the routes coming from the vlan interface during the last remote session. However, those routes are currently in hidden/inactive. This would mean that these routes are not actively being used in the routing table. In order to get routes to be active, I suggested to create a routemap to match and allow the networks in particular coming from the vlan interface. This is my suggested solution for this case. Looking forward to a response. Thank you! 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-16 12:48 PM

This definitely works without any particularly weird configuration. I have a bunch of firewalls with untagged interfaces and tagged subinterfaces all participating in OSPF.

Are they learning the same routes? By default, multiple exact matches of a given prefix all make it into the RIB, but only one of them makes it from there into the FIB.

How many peer devices are there on VLAN 53? Are the peer devices maybe set to run OSPF passively on VLAN 53?

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 12:52 PM
In response to Bob_Zimmerman

Hi Bob,

Yes, they are learning the exact same routes. As far as CP, I see both interfaces have passive set to off (as per screenshot in my original post). Not sure about peer devices, will ask customer.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-16 01:02 PM
In response to the_rock

Oops. I was wrong. A passive interface doesn't send hellos at all, so it won't form an OSPF adjacency.

If the firewall is learning exactly the same routes from both interfaces, that could explain it. Do you have ECMP enabled on the firewall?

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 01:11 PM
In response to Bob_Zimmerman

According to this, its enabled by default for OSPF

https://support.checkpoint.com/results/sk/sk100502

Andy

0 Kudos
genisis__
Leader Leader
Leader
‎2023-10-16 01:00 PM

Whats the CLI configuration look like?
I did a test with GNS3 (still have the lab), where I created x2 Totally Stub areas & x1 NSSA all linked to the GW which injected the default route.  Then redistributed an EIGRP routes into OSPF and visa versa all just worked.
I used R81.10 with JHFA113 in my lab, with Cisco 7200 router images and a Cisco switch image.
Do you see a neighbour up?

the_rock
Legend
Legend
‎2023-10-16 01:02 PM
In response to genisis__

Yup, neighbor is up, just additional vlan interface was added to ospf config as per my screenshot.

0 Kudos
genisis__
Leader Leader
Leader
‎2023-10-16 01:05 PM
In response to the_rock

If the neighbour is up on the new interface, then the next thing I would check is if the network statement is in place for the directly connected network, and if that's in place check the OSPF database table to see if it contains the routes.

One thing I did in my lab as well, is get topo and push policy.

What is the external router?

Feels like the issue is outside Checkpoint.

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 01:13 PM
In response to genisis__

Good point, will double check for topology later on after my run, need some exercise : - )

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-19 07:57 AM

Hey guys,

 

Just to update this issue, TAC asked us to create new routemaps for affected subnets, but I dont see logically how that will do anything, as routemaps have been there for almost 2 years now. Anyway, we have a window tonight and lets see how it goes...fingers crossed.

0 Kudos
genisis__
Leader Leader
Leader
‎2023-10-24 12:51 PM
In response to the_rock

Any update on this?

0 Kudos
the_rock
Legend
Legend
‎2023-10-24 03:34 PM
In response to genisis__

Some progress today. Had another remote with T3 in DTAC and after following example from 3B section of sk100501, we now see affected route shows as i and not hidden, but he said will check why its still showing as inactive. 

Thanks.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-11-03 07:58 PM

Hey guys,

Just to give an update on the issue...Tier 3 guy from Dallas TAC told me he is consulting with escalation on this, so hopefully there is an update soon (not sure when though)

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events