Problems with routing

Misc notes from my wars with clustering and routing. Most of these are being worked at CP.

1) Two sets of commands for clustering and routing

  1. drouter start/stop
  2. cphapstop/clusterXL_admin

Clusterxl_admin down does NOT stop routing. So its possible for 1 member to route and 1 member to firewall. BAD. routing should follow clustering.

2) GAIA and Kernel have two different views of what is in routing table. GAIA is the right one

3) cphastop and clusterXL_admin down have two different impacts on routing

cphastop stops the HA daemon so even if routed is running it is NOT exchanging routes with the active member. OSPF will only see directly connected interfaces

clusterXL down leaves the HA daemon up, so even if member is pnote down, it is still exchanging routes with the active member AND with the BR and BDR.  Bad one member should do both clustering and routing at same time.

4) If interface is part of OSPF and enabled but no link, it is still advertised. BAD. Should not advertise.

5) If you pull the sync cable and reboot the cluster cannot find the right interface. It will even use a VLAN that is NOT the first or last. This is because it thinks the interface is a NEW interface and is not registered. Leads to Master-Master fights.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Ricardo Villarreal  On February 1, 2014 at 12:47 am

    I really appreciate all your posts. Thanks keep going.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: