Gaia> show router-options
Wait for cluster: false
Flap interface: false
Gaia>
Gaia> lock database override
Gaia> set router-options wait-for-clustering on
Gaia>save config
[Expert@Gaia]# drouter ?
Usage:
drouter start - Start Dynamic Routing daemon
drouter stop - Stop Dynamic Routing daemon
[Expert@Gaia]#
Gaia> show ospf summary
Gaia> show ospf neighbors
Gaia> show ospf border-routers
Gaia> show ospf interfaces
Gaia> show ospf interfaces stats
Gaia> show ospf interfaces detailed
Gaia> show ospf interface RELEVANT_INTERFACE
Gaia> show ospf interface RELEVANT_INTERFACE stats
Gaia> show ospf interface RELEVANT_INTERFACE detailed
Gaia> show ospf errors
Gaia> show ospf errors hello
Gaia> show ospf errors protocol
Gaia> show ospf events
Gaia> show ospf database
Gaia> show ospf database detailed
Gaia> show ospf database areas
Note: You can run the following commands from Expert mode to save the above outputs into files:
[Expert@Gaia]# clish -c "show ospf [relevant_information]" > /var/log/show_ospf_relevant_information.txt
Gaia> show route summary
RouteSource Networks
connected 4
kernel 0
static 3
aggregate 0
bgp 0
igrp 0
ospf 1006
rip 0
Total 1013
Gaia>
Objective
This article describes how to setup OSPF on Check Point Security Gateway running Gaia OS.
This article focuses on the basic configuration of OSPF and does not discuss any OSPF features in details.
Configurations have been tested and approved for R76 Gaia.
Introduction to OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) used to exchange routing information between routers within a single Autonomous System (AS).
OSPF calculates the best path based on true costs using a metric assigned by a network administrator. OSPF is efficient, has a quick convergence, and provides equal-cost multipath routing where packets to a single destination can be sent using more than one interface.
OSPF is suitable for complex networks with a large number of routers.
Network Topology
The following topology was used for this article:
Example of network topology between 2 single gateways:
OSPF Configuration action plan
Action plan and notes:
- If configuring OSPF on ClusterXL / VRRP cluster, then use cluster Virtual IP addresses.
Configuring basic OSPF in Gaia Portal
- Connect to Gaia Portal on Security Gateway with a web browser at
https://<Gateway_IP_addess>. - Once connected, make sure you are in the '
Advanced Mode' (check the upper left corner). - Go to '
Advanced Routing' section - go to 'OSPF' pane. - Enter Router-ID:
Notes:- The Router ID uniquely identifies the router in the Autonomous System.
- Router ID can be any IPv4 address (it does not necessarily need to be IP address assigned to the Security Gateway you are configuring). You can keep these values default. It is strongly recommended to set the Router ID rather than relying on the default setting. This prevents the Router ID from changing if the interface used for the Router ID goes down. You can use an IP address of a Loopback interface (other than 127.0.0.1).
- If configuring OSPF on ClusterXL / VRRP cluster, then use cluster Virtual IP addresses.
- Optional: Define OSPF Areas in addition to the backbone area:
In the 'Areas' section, click on 'Add' button.
- Add interface(s), whose network(s) should be advertised:
In the 'Interfaces' section, click on 'Add' button.
Notes:- Assign the appropriate OSPF Area to each interface.
- If needed, change the OSPF Intervals.
- All intervals and authentication methods must be the identical for all routers on the OSPF link.
- In ClusterXL, do NOT check the box "Use Virtual Address" (the Virtual IP address is always used).
- Configure the same settings on the other OSPF peers (make sure to enter the correct Area number).
Configuring basic OSPF on CLI
Notes:
- Basic OSPF setup can be configured on the CLI using the commands below.
- Inbound route filtering and route redistribution must be configured in Gaia Portal.
- Routemaps that can be used for route filtering (not discussed in this article) can also be configured on the CLI.
- If configuring OSPF on ClusterXL / VRRP cluster, then use cluster Virtual IP addresses.
- On VSX Gateway / VSX Cluster Member, the configuration must be performed in the context of Virtual Systm / Virtual Router (vsenv <VSID>).
Procedure:
- Connect to command line on the Gaia OS (over SSH, or console).
- Log in to Clish.
- Configure the OSPF:
HostName> set router-id 41.41.1.1 HostName> set ospf interface eth-s4p4 area backbone on
- Save the configuration:
HostName> save config - Configure the same settings on the other OSPF peers (make sure to enter the correct Area number).
Verifying OSPF Configuration
HostName> show ospf summary
OSPF Router with ID 41.41.1.1 Instance default
SPF schedule delay: 2 secs
Hold time between two SPFs: 5 secs
Number of Areas in this router: 1
Normal: 1 Stub: 0 NSSA: 0
RFC1583 compability mode is on
Number of Virtual Links in this router: 0
Number of UpEvents: 3 Number of DownEvents: 2
Default ASE Cost: 1
Default ASE Type: 1
Area: 0.0.0.0
Number of Interfaces in this area: 1
Number of ABRs: 0 Number of ASBRs: 0
Number of times SPF Algorithm executed: 7
No Area Ranges Configured
No Area Stubnets Configured
HostName>
HostName> show ospf neighbors
Example of network topology between 2 single gateways:
Support for OSPF in a cluster
- BackgroundGaia OS supports the OSPF protocol in cluster environment - either ClusterXL (High Availability New mode, both Load Sharing modes), or VRRP.
In this configuration, the cluster becomes a Virtual Router, which is seen by neighboring routers as a single OSPF router that has an IP address that is the same as the Virtual IP address of the cluster.
Note: If configuring OSPF on ClusterXL / VRRP cluster, then use cluster Virtual IP addresses. - ClusterXLClusterXL advertises its Virtual IP address as the Router ID. The OSPF routes database of the Active member (Master) is synchronized between all cluster members. The OSPF instance of each Standby member (Backup) obtains routing state and information from the Active member (Master) and installs the routes in the kernel as the Active member (Master) does.
During a failover, one of the Standby members (Backup) becomes the new Active member (Master) and then continues where the former Active member (Master) failed.
As a result, there should be no traffic outage and no need for OSPF graceful restart. - VRRPYou can configure OSPF to advertise the cluster Virtual IP address rather than the physical IP address of the interface. If you enable this option, OSPF runs only on the VRRP Master member.
During a failover, OSPF stops being active on the former VRRP Master member and then becomes active on the new VRRP Master member (former VRRP Backup member). Since the OSPF routes database of the VRRP Master member is not synchronized between all cluster members, a traffic break may occur during the time it takes the OSPF instance to become active on the new VRRP Master and the OSPF protocol to learn routes again.
The larger the network, the more time it takes OSPF to synchronize its database and install routes again.
Refer to sk104441 - OSPF Graceful Restart with VRRP in R77.30 and above. - Configuring OSPF on a cluster in Gaia Portal
ClusterXL uses Virtual IP address by default (and this cannot be disabled). Therefore, no configuration is required in Gaia Portal for Virtual IP Address (do NOT check the box "Use Virtual Address" in the interface's settings). - Configuring OSPF on a cluster in CLI
ClusterXL uses Virtual IP address by default (and this cannot be disabled). Therefore, no configuration is required in Clish for Virtual IP Address.
Troubleshooting
Symptoms:
Random OSPF outages might be experienced in the following scenarios:
- OSPF timers are reduced from default 10/40
- Number of OSPF neighbors increases
- Number of OSPF routes increases
- On VPN Security Gateways configured for MEP that redistribute RIM routes into OSPF, the OSPF database contains duplicate entries for the same RIM route that comes from both MEP Security Gateways (see sk115117)
Root Cause:
The root cause of all of these symptoms is that Gaia OS is not able to send out OSPF Hello packets in timely manner when it is busy running SPF calculation or performing other tasks.
Solution:
Check Point offers the following hotfixes to improve OSPF scalability:
# ID Description 1 02367866 Force OSPF Hello packets to be sent out even when RouteD daemon is busy processing the LS Updates, SPF calculation or synchronizing OSPF routes to other cluster member 2 02367871 Wait at least 15 seconds after the routes are synchronized to between cluster members to bring the Critical Device " routed" back to the "up" state.
This gives RouteD daemon enough time to run the SPF calculation and push OSPF routes down to the kernel.3 02367867 Improve stability of RouteD daemon on Standby cluster member.
Notes:
- The recommended timers for OSPF are default settings of 10/40.
- The OSPF forced Hello timer should be set to 1 Hello interval to a maximum of 10 seconds.
- Contact Check Point Support to get the relevant Hotfix.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways / Cluster Members involved in the case.
These three fixes are included in:
- Jumbo Hotfix Accumulator for R77.30 - since Take_210
