This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abeja_huhuhu
Contributor
‎2018-12-31 07:38 PM
Jump to solution

cphaprob status showing down cause by routed

Hi Team, wishing you guys happy new year.  i need some help. i have deployed checkpoint firewall HA using clusterXL . this firewall also having BGP routing configured. i can see that only one firewall will have BGP peer status establish. secondary firewall will have peer status as idle. cphaprob status as per below:

cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

ID         Unique Address  Assigned Load   State          Name                                              

1          192.168.8.196   0%              DOWN           amadelo01-new
2 (local)  192.168.8.197   100%            ACTIVE         amadelo02-new

on the the secondary node, we can see that the cluster is down due to routed pnote:

Active PNOTEs: ROUTED

Last member state change event:
   Event Code:                 CLUS-111700
   State change:               INIT -> DOWN
   Reason for state change:    ROUTED PNOTE
   Event time:                 Mon Dec 31 18:51:03 2018

Last cluster failover event:
   Transition to new ACTIVE:   Member 1 -> Member 2
   Reason:                     Reboot
   Event time:                 Mon Dec 31 18:47:01 2018

Cluster failover count:
   Failover counter:           3
   Time of counter reset:      Mon Dec 31 18:51:03 2018 (reboot)

output of cphaprob list:

cphaprob list

Registered Devices:

Device Name: routed
Registration number: 2
Timeout: none
Current state: problem
Time since last report: 59996.3 sec

i have try reinstall policy to the firewall but still the status showing down. is there anything that we could use to force it to be Standby again instead of showing down.?

1 Solution

Accepted Solutions
Alessandro_Marr
Advisor
‎2019-01-05 09:48 AM
In response to Abeja_huhuhu
Jump to solution

you need disable on cisco this proprietary feature, ciscorouterefresh...  when the gateway receive a route advertisement or any message of BGP with any proprietary feature it become instable. 

in one of my routers I couldn´t because I could not update his IOS, if it is not possible, you could try using OSPF

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2018-12-31 11:22 PM
Jump to solution

Did you check this SK? 

Standby Cluster member in "Down" state with routed PNOTE in problematic state 

0 Kudos
Abeja_huhuhu
Contributor
‎2019-01-03 11:17 PM
In response to PhoneBoy
Jump to solution

Hi Daemon,

thanks for the suggestion. i have check the SK and not much help on that. but i can confirm the issue happened due to the standby node does not get the default route from BGP. so most probably the route is not identical for both firewall node which causing the routed process state change to problem. However, i notice after leaving it running for a while the standby node starting to import the default route advertise by BGP peers even though the status of peers is idle. The only changes that i have made is to disabled cluster fold which allow each node to connect using its own ip instead of using cluster ip.

for me this can considered as working.

Alessandro_Marr
Advisor
‎2019-01-04 02:23 AM
Jump to solution

Is your bgp peer a router Cisco?

When peers send routes advertises can you see if any special parameters are been sending too?

DO you have a capability like a route-refresh on other side?

0 Kudos
Abeja_huhuhu
Contributor
‎2019-01-04 07:41 PM
In response to Alessandro_Marr
Jump to solution

Hi Alessandro,

yes, peer is using cisco. you may find below are the capabilities introduce to us.

State                         Established (Uptime: 02:33:22)  
Peer Type                     eBGP Peer  
Remote AS                     45352     
Local AS                      2.7076 (138148)  
Peer Capabilities             InetUnicast,RouteRefresh,CiscoRouteRefresh,4-Byte AS Extension  
Our Capabilities              InetUnicast,RouteRefresh,4-Byte AS Extension  
Authentication                None      
Multihop                      Off       
Reachability Detection        Off       
Graceful Restart              Off       
Keepalives                              
    Last Received             32s       
    Last Sent                 24s       
    Interval                  60s       
    Holdtime                  180s      
Received                                
    IPv4 Routes               1 (1 active)  
    IPv6 Routes               0 (0 active)  
Sent                                    
    IPv4 Routes               3         
    IPv6 Routes               0         

the same capabilities introduce for IPv6 peers.

based on above, i believed it does have route-refresh capabilities.

i notice in the logs i can see it also sending us unrecognize capabilities. below are portion of the logs.

(proto) received unrecognized capability 70. Ignoring capability 70

0 Kudos
Alessandro_Marr
Advisor
‎2019-01-05 09:48 AM
In response to Abeja_huhuhu
Jump to solution

you need disable on cisco this proprietary feature, ciscorouterefresh...  when the gateway receive a route advertisement or any message of BGP with any proprietary feature it become instable. 

in one of my routers I couldn´t because I could not update his IOS, if it is not possible, you could try using OSPF

Abeja_huhuhu
Contributor
‎2019-01-10 03:48 PM
In response to Alessandro_Marr
Jump to solution

Thanks for your suggestion. we manage to get the upstream to disable the capabilities and now i can see the gateway is much more stable. so far no more firewall flapping cause by routed. i think this should be solved  the issue.

0 Kudos
Alessandro_Marr
Advisor
‎2019-01-11 05:05 AM
In response to Abeja_huhuhu
Jump to solution

thank you!!

0 Kudos
zhangchuang
Contributor
‎2022-12-07 12:15 AM
In response to Alessandro_Marr
Jump to solution

What features of Cisco are you turning off? I have a similar problem now.

0 Kudos
DZ_KB
Collaborator
‎2023-03-12 01:17 PM
In response to Alessandro_Marr
Jump to solution

Hi @Alessandro_Marr , @PhoneBoy ,

Is there an SK that talks about this issue ?

Thx

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-12 03:13 PM
In response to DZ_KB
Jump to solution

Are you also seeing an error as listed in sk117598 or just a general pnote due to routed? 

Is graceful restart configured/used to improve failover behavior?

Refer also:

https://community.checkpoint.com/t5/Management/BGP-Peering/td-p/15260

CCSM R77/R80/ELITE
0 Kudos
DZ_KB
Collaborator
‎2023-03-13 03:34 AM
In response to Chris_Atkinson
Jump to solution

yes graceful restart is configured.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events