This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oleksandr_Mamen
Explorer
‎2017-07-26 08:25 AM
Jump to solution

r77.30 ospf drop hello

Hi everyone

There are one cisco router, one cisco switch and checkpoint cluster in my infrastructure. Cisco router and cisco switch already established ospf neighborship and now I'm trying to establish ospf between between Catalyst 3650 and HA-Cluster R77.30. And it is not working.

Debug information
1. Catalyst sends hello to Cluster
14:40:52.400: OSPF: Send hello to 224.0.0.5 area 0 on Vlan201 from 172.16.1.9
14:41:01.645: OSPF: Send hello to 224.0.0.5 area 0 on Vlan201 from 172.16.1.9
2. Cluster receives it:
[Expert@FIREWALL-1:0]# tcpdump -i eth7.201 ip proto ospf
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth7.201, link-type EN10MB (Ethernet), capture size 96 bytes
17:31:58.572861 IP 172.16.1.9 > ospf-all.mcast.net: OSPFv2, Hello, length: 56
17:32:07.999643 IP 172.16.1.9 > ospf-all.mcast.net: OSPFv2, Hello, length: 56
3. But cluster drops this packets
Log Server Origin: 192.168.10.204
Time: 2017-07-26T14:52:54Z
Interface Direction: inbound
Interface Name: eth7.201
Id Generated By Indexer:false
First: true
Sequencenum: 2147483647
Source Zone: Internal
Rule UID: 145130C7-F7D3-4628-B3EA-13B005CFA621
Source: 172.16.1.9
Destination: 224.0.0.5
IP Protocol: 89
Access Rule Name: CLEAN-UP
Access Rule Number: 21
Action: Drop
Type: Log
Policy Management: MANAGEMENT-1
Blade: Firewall
Origin: FIREWALL-1
Service: 89
Product Family: Access
Layer Name: Firewall_layer
Interface: eth7.201
Description: ospf Traffic Dropped from 172.16.1.9 to 224.0.0.5


4. However I have rule for allow ospf traffic with number 4 (which is upper than 21)
SRC: Catalyst, Cluster
DST: multicast 224.0.0.5, 224.0.0.6, 224.0.0.1, Cluster
Service: OSPF, IGMP
Action: Accept

Could somebody give any help? Trying to make it works more than two days.

Alexander

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-07-27 08:01 AM
Jump to solution

I have a feeling using "Multicast Range" objects may be the issue, which I have to admit, I've never seen before now.

Try creating the multicast addresses as Host objects instead and use those in the policy.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2017-07-26 09:57 AM
Jump to solution

Is 172.16.1.9 associated as the primary IP address of your gateway or cluster?

If not, you may need to explicitly add that to Rule 4.

On an unrelated topic, you named your firewall the name of the product 20 years ago Smiley Happy

0 Kudos
Oleksandr_Mamen
Explorer
‎2017-07-26 12:56 PM
In response to PhoneBoy
Jump to solution

Hi, Dameon.

First of all I'd like to thank you for such quick response.

172.16.1.9 is IP-address of Catalyst Switch which tries to establish ospf neighborship by sending hello packets to CP on multicast address 224.0.0.5.

You can see part of debug ip ospf hello catalyst in my previous message. According to the log Catalyst send HELLO-packets with source 172.16.1.9 and destination 224.0.0.5.

Also I used tcpdump on CP and noticed that it receives packets from Catalyst (number 2 in my previous message).

Firewall rules for OSPF were added according to the guide (screenshot in previous message). But CP is dropping hello packets.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-26 04:24 PM
In response to Oleksandr_Mamen
Jump to solution

This seems like a basic rule matching issue now that I look more closely at this.

Can you paste a screenshot of the objects used in the Destination for Rule 4 (not the Cluster object)?

0 Kudos
Oleksandr_Mamen
Explorer
‎2017-07-27 04:41 AM
In response to PhoneBoy
Jump to solution

Dameon, screenshots of destination objects

 1) OSPF-MULTICAST-ADDRESS (range 224.0.0.5-224.0.0.6)

2) ALLSYSTEMS.MCAST.NET (224.0.0.1)

3) C3650_1-SWITCH (172.16.1.9)

Also there are no matches in rule 4 and traffic is dropped according to the Clean-up rule 21

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-27 08:01 AM
Jump to solution

I have a feeling using "Multicast Range" objects may be the issue, which I have to admit, I've never seen before now.

Try creating the multicast addresses as Host objects instead and use those in the policy.

Oleksandr_Mamen
Explorer
‎2017-07-27 11:06 PM
In response to PhoneBoy
Jump to solution

IT WORKS!

My previous post was in "MODERATING" state to long and I started testing in changing firewall rules.

I have added a lot of new objects to OSPF-RULE: new objects for EVERY cluster link, new objects for multicast addresses and I was very surprised when CP established ospf neighborship after adding new object to the destination field, objects type was HOST and address 224.0.0.5. And after my all-day testing I received message about your answer.

So, thanks, you were right and issue was with object type MULTICAST-RANGE.

But for what should I use that multicast-range obj?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-27 11:14 PM
In response to Oleksandr_Mamen
Jump to solution

They are explained in the following sk: Multicast address ranges are not supported for use in the rulebase 

Basically they are used only in gateway topology, not in the rulebase.

0 Kudos
Gary_Torrico1
Participant
Participant
‎2018-01-29 07:17 PM
In response to Oleksandr_Mamen
Jump to solution

Hello,
I have the same problem.
1.- configure ospf of area 0
2.- Create object for multicast address.
3.- create a rule in the firewall.

4.- Install Policy.

The configuration is successful. I have adjacency with ospf neighbors and I have end-to-end connectivity. But in the smart log I still see drop connections for address 224.0.0.5 in the ospf 89 service.

detail of the drop connection.

Could somebody give any help?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-30 06:51 AM
In response to Gary_Torrico1
Jump to solution

Refer to the following SK: How to troubleshoot "Local interface address spoofing" issues 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events