This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neville_Kuo
Advisor
‎2018-05-25 09:23 AM

OSPF neighbor count

Dear all:

Is there anyone who ever managed over 200 OSPF neighbors and 6 ares before? It's not difficult with Juniper/Cisco or other vendors but what about Check Point?

The customer is using Juniper SSG5200(HA) and doing OSPF over ipsec(Route based VPN) with 200 Juniper SSG350M(2 wan links) for 10 years(Built by me.), if I want to replace with Check Point, can central vpn termination point can handle so many vpn tunnels and OSPF neighbors? I'm afraid of routeD crashes sometimes, that's a nightmare for this kind of network scope.

I know customer can have better choice but I'm wondering can I do the same thing with CP5600(HA) and SMB models like CP1490(For branches)?

4 Replies
XBensemhoun
Employee
Employee
‎2018-05-26 06:57 AM

I assume your question could be divided on two points:

 - OSPF ability; I assume yes; you can check on sk95968‌ OSPF on Gaia general document and on its related documentations and solutions

- VPN in large environment: will you try Multiple Entry Point (MEP)? If so, look at the dedicated section of the VPN admin guide of your version.

Information Security enthusiast, CISSP, CCSP
0 Kudos
Neville_Kuo
Advisor
‎2018-05-27 06:55 PM
In response to XBensemhoun

Hi:

Actually I'ved tried large number of ospf neighbors and neighbors status start random dropping after over 60 neighbor counts(About 2 years ago with R77.30), that's why I doubt Check Point's routeD stability, and MEP is not what customer need since customer's dual wan should be Active/Active mode.

But still thanks for your replay, hope R80.10 or later version can be better.

XBensemhoun
Employee
Employee
‎2018-05-28 07:00 AM
In response to Neville_Kuo

So we need to wait concrete feebadck from Check Point: Dameon Welch Abernathy‌ could you help us on this?

Information Security enthusiast, CISSP, CCSP
0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-28 04:06 PM
In response to XBensemhoun

We've made a number of stability improvements in routed over the last two years, including situations where there are a large number of OSPF neighbors.

I believe most of these fixes were rolled into R80.10 as some of these fixes were available in R77.30 as well.