This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Phillips
Participant
‎2022-07-06 06:18 AM

r80.10 ospf issues

I'm seeing some issues with OSPF, vSEC R80.10

 we see regular OSPF convergence on the vSEC cluster which dumps routes for a short time and is causing some instability.

In the logs i see lots of connections dropped origin being the secondary cluster member & due to antispoofing, the dropped traffic is from vip addresses to the associated ospf neighbor for service ospf.

we have an antispoofing group configured on the interfaces that includes the ip ranges of both the src & dst ospf neighbors & antispoofing action is set to detect & log so i'm not sure why the secondary checkpoint is dropping.

show ospf neighbors shows errors incrementing for 1 neighbor.

anyone seen anything like this with checkpoint and ospf?

when i look at show ospf neighbors on both checkpoints i see they have the exact same details, including interface details, I would have thought each cluster member would use its own IP to form neighbour relationships but understand why they use the vip as it ensures the neighbors send to the active ip which leads me to a few q's:

  1. is the standby /secondary cp dropping ospf from the neighbour intentionally but shows as antispoof in the logs?
  2. does the active cp sync the ospf database to the secondary so the secondary never needs to actively form neighbor relationships?
  3. are the drops in the logs normal behaviour for the secondary?

i appreciate we need to upgrade but you already know why that hasn't happened.

Thanks

 

 

 

 

Labels
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-07-06 06:39 AM

sk95968 discusses the OSPF sync in a cluster.

Only the ACTIVE member should be actively participating in OSPF.

Does your policy allow for IGMP traffic & the OSPF multicast addresses (see sk39960)?

Are the OSPF Router IDs configured the same on both members of the cluster?

 

CCSM R77/R80/ELITE
0 Kudos
Chris_Phillips
Participant
‎2022-07-07 03:54 AM
In response to Chris_Atkinson

thanks @Chris_Atkinson 

that sk95968 answers a number of my questions, 

it is a clusterxl cluster & the doc exolains that the ospf db is synced from the master which is fine, 
the ospf router ID's are identical on both cluster members, 

our ospf rule did not permit igmp or 224.0.0.1, i have added a new rule beneath the old rule permitting both those with the neighbors but do not see any hits or logs on it.

i did see drops from the gateways to 224.0.0.22, but the fw accepted teh same from the neighbors under implied rules. 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-07-07 04:45 AM
In response to Chris_Phillips

@Chris_Phillips Which Jumbo is installed on this Cluster, higher than T288?

Do you see FIBMGR (TCP/2010) between the gateways being accepted?

What's the interface/network config look like on the other side is it Nexus with VPC or something else?

(Note P2P network type is not supported with OSPF per sk116500)

CCSM R77/R80/ELITE
0 Kudos
Chris_Phillips
Participant
‎2022-07-11 09:58 AM
In response to Chris_Atkinson

@Chris_Atkinson 

its unloved and running t112.

i see traffic accepted for tcp2010 but it its not directed at the ospf gateways in question but others

the other side is nsx-t 

i'm wondering if rfc 1583 compatibility (on) could be an issue here?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-07-11 04:44 PM
In response to Chris_Phillips

You could test that if you wish, but I would try and update the jumbo.

Is Graceful restart used/configured on either side currently?

CCSM R77/R80/ELITE
0 Kudos
Chris_Phillips
Participant
‎2022-07-22 06:54 AM
In response to Chris_Atkinson

@Chris_Atkinson 
just to update this in case i come across this in the future!!

so we upped the ospf timers from 1 / 3 to 10 /40 and things seemed to stabilise but overnight fell over again.

My colleague Nathan looked to download a hotfix on 1 gateway which failed as the directory was full.
/var/log/auth was 25+G so we deleted on both gateways, created a new auth file with correct permissions then restarted syslogd (lsopf showed /var/log/auth was used by it). checked /var/log/auth to check new logs where entered.

so far so good, 

from ~20 ospf events per hour so far its been 0 over the last 5 hours.

Last day on the account so hopefully it'll be ok going forward.

Of course the real fix should be an update but that scares everyone.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-07-22 08:48 AM
In response to Chris_Phillips

Can you clarify what hotfix was installed or none in the end only clearing space in addition to the timer change?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events