Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator
Jump to solution

dynamic routing mvc

Last week we tried to upgrade a gateway cluster member to version R81.10 from R80.40 which is using OSPF to propagate OSPF routes to neighbor devices. Using the MVC method after failover the routes are not propageted to the OSPF neighbors. Is this not supported anymore since using MVC?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Would the same occur with using BGP and what if the SMS is connected over BGP we will lock ourselves out completely? In other words a policy install would be impossible?

Could someone clarify how to deal with dynamic routing OSPF and/or BGP while upgrading to version R81.10 in a cluster using MVC?

1 Solution

Accepted Solutions
Yair_Shahar
Employee
Employee

If it's ClusterXL HA (not VRRP) and if you did not enable ospf graceful-restart 

then we expect both members to hold OSPF neigborship in MVC state

View solution in original post

19 Replies
Yair_Shahar
Employee
Employee

Hi,

 

OSPF and BGP are supported with MVC, routes should completely synced from R80.40 and R81.10 members.

Were there routes came back after a while on the R81.10 member? 

What Jumbo take do you have on the R80.40 member and what Jumbo did you use on the R81.10 member?

How do you propagate the OSPF routes? redistribution? routemaps? other?

 

Yair

dehaasm
Collaborator

so if I am correct you should enable mvc on the upgraded member only?

We came from R80.40 take take 139 > R81.10 JHF81

We redistribute the interfaces on the Check Point, all local connected network into OSPF, after failing over to R81.10 we found that no routes were advertised and everything became unavailable. Should TAC have a deeper look into this?

0 Kudos
dehaasm
Collaborator

so the issue we have seen was more related to not advertising the routes vs not having the routes, the OSPF neighbors did not have any route from Check Point

dehaasm
Collaborator

we waited 2 minutes but needed to fail back due to major impact.

0 Kudos
Gojira
Collaborator
Collaborator

Happened to me that after upgrade to R81 OSPF didnt like the automatic router id.

Had to remove ospf config, set router id explicitly and add ospf config again.

dehaasm
Collaborator

we already have router-id explicitly configured

Yair_Shahar
Employee
Employee

Hi,

we suspect this is not related to MVC but to some known issue with in R81.10 and OSPF redistribution.

fix is not yet available in jumbo hf, I suggest contacting TAC investigating if this is related to ROUT-2422 and getting hotfix for it.

restart ospf should resolves it as workaround.

 

Yair

0 Kudos
Alex-
Leader Leader
Leader

Any known such issue with BGP and local interface redistribution? I encountered a similar case during an R81 to R81.10 MVC upgrade but not much time to troubleshoot before having to fallback.

0 Kudos
dehaasm
Collaborator

I am also curious about that one because i have similar upgrade planned with same setup in less then 2 weeks.

0 Kudos
Yair_Shahar
Employee
Employee

There were some known issues in the past related to BGP, hard to tell if those match what you experienced.

I can tell that latest jumbo hf of R81 and R81.10 include all relevant fixes to issues we were aware of (listed as resolved in jumbo hf SKs)

 

Yair

 

0 Kudos
rdesai
Participant

Hi 

 

Update, 

 

We update the FW both from R80.10 to R81.10 latest JHF.

 

Both FW is learning the ospf routes however, only active fw is showing the ospf neighbor.

Not sure where to go from here. 

 

0 Kudos
dehaasm
Collaborator

I believe that is normal neigborship is via the virtual IP on Check Point when you failover that one takes it over

0 Kudos
rdesai
Participant

Hi 

We are facing the same issue. 

Currently, we are running MVC, we raised this issue with TAC and they have advised that MVC does not support dynamic routing such as OSPF , BGP. 

We manage to fix the failover to R81.10 by issue cpstop;cpstart to perform the Failover . We have been adivse to carry on the upgrade on the other FW, bring them to same version and we should see the OSPF routes populating. I hope so.

We are doing this tonight. 

I ll update you how it goes. 

0 Kudos
Yair_Shahar
Employee
Employee

If it's ClusterXL HA (not VRRP) and if you did not enable ospf graceful-restart 

then we expect both members to hold OSPF neigborship in MVC state

rdesai
Participant

Hi 

 

We have graceful restart on on a active fw and off on standby fw.

 

If I need to switch off graceful restart on ospf do I need to do out of hours and will it cause any impact while doing so. 

 

Thanks

 

0 Kudos
Yair_Shahar
Employee
Employee

OSPF graceful Restart was available for VRRP only in R81 and below

in R81.10 and up - OSPF graceful Restart is supported for ClusterXL as well (same command)

 

if you configure OSPF graceful Restart - it must be configured on both members.

 

you might want to consider this R81.10 Known issue

 

 

 

0 Kudos
rdesai
Participant

Hi Yair, 

 

Thanks for the update. 

 

Both FW are now configured with ospf graceful restart on. 

 

I only see the OSPF neighbour on Active FW and No Neighbours found on standby. 

 

 

0 Kudos
Yair_Shahar
Employee
Employee

This is expected with GR

since we do not sync neighbor state with GR but only ospf routes 

upon failover routes are kept on new active member, meanwhile ospf neighbor state is re established

0 Kudos
rdesai
Participant

HI , 

 

Yes, i did a failover with GR enabled on both FW. neighbourship established on active member. 

 

Thanks

Ronak

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events