Solved: Re: dynamic routing mvc

dehaasm · ‎2023-01-24

Last week we tried to upgrade a gateway cluster member to version R81.10 from R80.40 which is using OSPF to propagate OSPF routes to neighbor devices. Using the MVC method after failover the routes are not propageted to the OSPF neighbors. Is this not supported anymore since using MVC?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Would the same occur with using BGP and what if the SMS is connected over BGP we will lock ourselves out completely? In other words a policy install would be impossible?

Could someone clarify how to deal with dynamic routing OSPF and/or BGP while upgrading to version R81.10 in a cluster using MVC?

Yair_Shahar · ‎2023-07-26

If it's ClusterXL HA (not VRRP) and if you did not enable ospf graceful-restart

then we expect both members to hold OSPF neigborship in MVC state

View solution in original post

Yair_Shahar · ‎2023-01-24

Hi,

OSPF and BGP are supported with MVC, routes should completely synced from R80.40 and R81.10 members.

Were there routes came back after a while on the R81.10 member?

What Jumbo take do you have on the R80.40 member and what Jumbo did you use on the R81.10 member?

How do you propagate the OSPF routes? redistribution? routemaps? other?

Yair

dehaasm · ‎2023-01-24

so if I am correct you should enable mvc on the upgraded member only?

We came from R80.40 take take 139 > R81.10 JHF81

We redistribute the interfaces on the Check Point, all local connected network into OSPF, after failing over to R81.10 we found that no routes were advertised and everything became unavailable. Should TAC have a deeper look into this?

dehaasm · ‎2023-01-24

so the issue we have seen was more related to not advertising the routes vs not having the routes, the OSPF neighbors did not have any route from Check Point

dehaasm · ‎2023-01-24

we waited 2 minutes but needed to fail back due to major impact.

Machine_Head · ‎2023-01-24

Happened to me that after upgrade to R81 OSPF didnt like the automatic router id.

Had to remove ospf config, set router id explicitly and add ospf config again.

dehaasm · ‎2023-01-25

we already have router-id explicitly configured

Yair_Shahar · ‎2023-01-24

Hi,

we suspect this is not related to MVC but to some known issue with in R81.10 and OSPF redistribution.

fix is not yet available in jumbo hf, I suggest contacting TAC investigating if this is related to ROUT-2422 and getting hotfix for it.

restart ospf should resolves it as workaround.

Yair

Alex- · ‎2023-01-24

Any known such issue with BGP and local interface redistribution? I encountered a similar case during an R81 to R81.10 MVC upgrade but not much time to troubleshoot before having to fallback.

dehaasm · ‎2023-01-25

I am also curious about that one because i have similar upgrade planned with same setup in less then 2 weeks.

Yair_Shahar · ‎2023-01-25

There were some known issues in the past related to BGP, hard to tell if those match what you experienced.

I can tell that latest jumbo hf of R81 and R81.10 include all relevant fixes to issues we were aware of (listed as resolved in jumbo hf SKs)

Yair

rdesai · ‎2023-07-26

Hi

Update,

We update the FW both from R80.10 to R81.10 latest JHF.

Both FW is learning the ospf routes however, only active fw is showing the ospf neighbor.

Not sure where to go from here.

dehaasm · ‎2023-07-26

I believe that is normal neigborship is via the virtual IP on Check Point when you failover that one takes it over

rdesai · ‎2023-03-22

Hi

We are facing the same issue.

Currently, we are running MVC, we raised this issue with TAC and they have advised that MVC does not support dynamic routing such as OSPF , BGP.

We manage to fix the failover to R81.10 by issue cpstop;cpstart to perform the Failover . We have been adivse to carry on the upgrade on the other FW, bring them to same version and we should see the OSPF routes populating. I hope so.

We are doing this tonight.

I ll update you how it goes.

Yair_Shahar · ‎2023-07-26

If it's ClusterXL HA (not VRRP) and if you did not enable ospf graceful-restart

then we expect both members to hold OSPF neigborship in MVC state

rdesai · ‎2023-08-01

Hi

We have graceful restart on on a active fw and off on standby fw.

If I need to switch off graceful restart on ospf do I need to do out of hours and will it cause any impact while doing so.

Thanks

Yair_Shahar · ‎2023-08-01

OSPF graceful Restart was available for VRRP only in R81 and below

in R81.10 and up - OSPF graceful Restart is supported for ClusterXL as well (same command)

if you configure OSPF graceful Restart - it must be configured on both members.

you might want to consider this R81.10 Known issue

rdesai · ‎2023-08-02

Hi Yair,

Thanks for the update.

Both FW are now configured with ospf graceful restart on.

I only see the OSPF neighbour on Active FW and No Neighbours found on standby.

Yair_Shahar · ‎2023-08-02

This is expected with GR

since we do not sync neighbor state with GR but only ospf routes

upon failover routes are kept on new active member, meanwhile ospf neighbor state is re established

rdesai · ‎2023-08-24

HI ,

Yes, i did a failover with GR enabled on both FW. neighbourship established on active member.

Thanks

Ronak

Are you a member of CheckMates?

dynamic routing mvc