This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Contributor
‎2023-01-24 05:47 AM

dynamic routing mvc

Last week we tried to upgrade a gateway cluster member to version R81.10 from R80.40 which is using OSPF to propagate OSPF routes to neighbor devices. Using the MVC method after failover the routes are not propageted to the OSPF neighbors. Is this not supported anymore since using MVC?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Would the same occur with using BGP and what if the SMS is connected over BGP we will lock ourselves out completely? In other words a policy install would be impossible?

Could someone clarify how to deal with dynamic routing OSPF and/or BGP while upgrading to version R81.10 in a cluster using MVC?

Labels
11 Replies
Yair_Shahar
Employee
Employee
‎2023-01-24 06:17 AM

Hi,

 

OSPF and BGP are supported with MVC, routes should completely synced from R80.40 and R81.10 members.

Were there routes came back after a while on the R81.10 member? 

What Jumbo take do you have on the R80.40 member and what Jumbo did you use on the R81.10 member?

How do you propagate the OSPF routes? redistribution? routemaps? other?

 

Yair

dehaasm
Contributor
‎2023-01-24 08:00 AM
In response to Yair_Shahar

so if I am correct you should enable mvc on the upgraded member only?

We came from R80.40 take take 139 > R81.10 JHF81

We redistribute the interfaces on the Check Point, all local connected network into OSPF, after failing over to R81.10 we found that no routes were advertised and everything became unavailable. Should TAC have a deeper look into this?

0 Kudos
dehaasm
Contributor
‎2023-01-24 08:02 AM
In response to Yair_Shahar

so the issue we have seen was more related to not advertising the routes vs not having the routes, the OSPF neighbors did not have any route from Check Point

dehaasm
Contributor
‎2023-01-24 08:05 AM
In response to Yair_Shahar

we waited 2 minutes but needed to fail back due to major impact.

0 Kudos
juan_lo
Contributor
‎2023-01-24 09:06 AM
In response to dehaasm

Happened to me that after upgrade to R81 OSPF didnt like the automatic router id.

Had to remove ospf config, set router id explicitly and add ospf config again.

dehaasm
Contributor
‎2023-01-25 01:02 AM
In response to juan_lo

we already have router-id explicitly configured

Yair_Shahar
Employee
Employee
‎2023-01-24 09:08 AM
In response to dehaasm

Hi,

we suspect this is not related to MVC but to some known issue with in R81.10 and OSPF redistribution.

fix is not yet available in jumbo hf, I suggest contacting TAC investigating if this is related to ROUT-2422 and getting hotfix for it.

restart ospf should resolves it as workaround.

 

Yair

0 Kudos
Alex-
Advisor
‎2023-01-24 09:48 AM
In response to Yair_Shahar

Any known such issue with BGP and local interface redistribution? I encountered a similar case during an R81 to R81.10 MVC upgrade but not much time to troubleshoot before having to fallback.

0 Kudos
dehaasm
Contributor
‎2023-01-25 01:34 AM
In response to Alex-

I am also curious about that one because i have similar upgrade planned with same setup in less then 2 weeks.

0 Kudos
Yair_Shahar
Employee
Employee
‎2023-01-25 05:15 AM
In response to dehaasm

There were some known issues in the past related to BGP, hard to tell if those match what you experienced.

I can tell that latest jumbo hf of R81 and R81.10 include all relevant fixes to issues we were aware of (listed as resolved in jumbo hf SKs)

 

Yair

 

0 Kudos
rdesai
Explorer
Wednesday

Hi 

We are facing the same issue. 

Currently, we are running MVC, we raised this issue with TAC and they have advised that MVC does not support dynamic routing such as OSPF , BGP. 

We manage to fix the failover to R81.10 by issue cpstop;cpstart to perform the Failover . We have been adivse to carry on the upgrade on the other FW, bring them to same version and we should see the OSPF routes populating. I hope so.

We are doing this tonight. 

I ll update you how it goes. 

0 Kudos