This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
subrun_jamil
Participant
‎2022-06-24 01:41 PM

OSPF Not Coming Up - Showing Auth Error

I am working to bring the ospf, Look like it is throwing Auth error all the time. I doubt at the checkpoint side I am missing something.

What could be the issue ? It is a new setup and there are no SmartDash Board Server Installed at the moment. Plan was to make the OSPF Connectivity. At the moment there are no initial rules at this Firewall. So accepting all traffic. 

Debug log from cisco Side ( which is other side of the ospf neighbor ). 

Jun 23 10:52:42.860 AST-Sum: OSPF-1 ADJ   Vl2573: Rcv pkt from 10.7.248.26 : Mismatched Authentication key - ID 3.

Cisco Side OSPF Config

interface Vlan2573

description XXXXXXXXXXXXXX                                           

 ip address 10.7.248.25 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 3 md5 7 XXXXXXXX

OSPF_Settings_at_CP_Side.jpg

 

OSPF_Settings_at_CP_Side_2.jpg

0 Kudos
11 Replies
Vladimir
Champion
Champion
‎2022-06-24 05:46 PM

If there are no initial rules on the firewall, you are actually dropping all traffic, including OSPF:

From Admin Guide: "Until the Security Gateway administrator installs the Security Policy on the Security Gateway for the first time, security is enforced by an Initial Policy.

The Initial Policy operates by adding the predefined implied rules to the Default Filter policy.

These implied rules forbid most communication, yet allow the communication needed for the installation of the Security Policy. The Initial Policy also protects the Security Gateway during Check Point product upgrades, when a SIC certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration."

To allow OSPF until policy is configured and installed:

Execute "fw unloadlocal" in expert mode on this gateway, IF IT IS NOT in production, to actually remove the default policy.

If you need for routing to work while in wide-open state, execute "echo 1 > /proc/sys/net/ipv4/ip_forward"

That last one is actually courtesy of @Timothy_Hall .

To properly configure your policy for OSPF, see sk39960.

0 Kudos
the_rock
Champion
Champion
‎2022-06-24 09:44 PM

@Vladimir is 100% right. You NEED rules to allow ospf, period.

0 Kudos
subrun_jamil
Participant
‎2022-06-24 09:52 PM
In response to the_rock

Hi @Vladimir @the_rock 

thank you for your reply.

I used "fw unloadlocal" so I dont think OSPF is getting blocked. As I shared earlier it is throwing Auth Error. ( image attached before ) 

FW# cpstat -f policy fw

Product name: Firewall
Policy name:
Policy install time:
Num. connections: 0
Peak num. connections: 0
Connections capacity limit: 0
Total accepted packets: 0
Total dropped packets: 0
Total rejected packets: 0
Total accepted bytes: 0
Total dropped bytes: 0
Total rejected bytes: 0
Total logged: 0

 

 

0 Kudos
Vladimir
Champion
Champion
‎2022-06-24 10:16 PM
In response to subrun_jamil

Hmm...

I'm a bit surprised to see the packet counters at 0.

That said, there used to be issue in R77.30 days specific to OSPF auth due to mtu missmatch, sk109092.

0 Kudos
subrun_jamil
Participant
‎2022-06-25 09:08 PM
In response to Vladimir

hello @Vladimir 

My version is R80.40. Will check to see if enabling Subtract Authlen resolves the issue 

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-06-25 12:36 AM

Which version & jumbo is this Gateway installed with?

(Note OSPF network type point-to-point isn't supported if set on the Cisco side).

0 Kudos
subrun_jamil
Participant
‎2022-06-25 09:06 PM
In response to Chris_Atkinson

@Chris_Atkinson 

Hello Chris, 

Cisco side is not P2P OSPF. 

Cisco Side OSPF Config

interface Vlan2573

description XXXXXXXXXXXXXX                                           

 ip address XX.XX.XX.XX 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 3 md5 7 XXXXXXXX

 

CP Version is 80.40 and Build is 309

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-06-27 01:30 AM
In response to subrun_jamil

To clarify you already have the latest GA jumbo installed (JHF T158)?

What's the password complexity like, have you experimented with something simple?

subrun_jamil
Participant
‎2022-06-27 07:56 AM
In response to Chris_Atkinson

Hello @Chris_Atkinson 

After setting key with a 16 character one it got resolved. 😎

To clarify you already have the latest GA jumbo installed (JHF T158)?  -- I do not know how to check this. Can you suggest  ?

Thanks for your intention to constantly trying to help me. 

@the_rock @Vladimir @Chris_Atkinson 

the_rock
Champion
Champion
‎2022-06-27 08:00 AM
In response to subrun_jamil

If you need to check anything, I got working ospf/bgp in the lab on latest R81.10 jumbo 61 version, so happy to show you.

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-06-27 08:19 AM
In response to subrun_jamil

Glad it's resolved.

From the CLI in Expert mode on the Gateway: "cpinfo -y all"

This should output the currently installed hotfix level information.

0 Kudos