Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

OSPF between a Cisco Router and a Checkpoint

I am trying to establish OSPF between two Cisco routers and an HA configured pair of Checkpoint firewalls the reside on the same LAN segment. The two routers form a good adjacency, but the routers will not form an adjacency to the Checkpoints. The neighbor status shows exstart/drother, then go down, then back to exstart/drother. We have verified the MTU sizes and hello, dead, wait and retransmit times are the same. I am showing sent and received packets from the Checkpoints. Has anyone had this issue?

Thanks,

Jack

4 REPLIES
Silver

Re: OSPF between a Cisco Router and a Checkpoint

Hello Jack,

Since the router is stuck in exstart stage, I suspect MTU.

However the MTU of both systems match, I have seen adjacencies between Cisco switches and routers fail because of this.

Try thee ip ospf ignore-mtu interface command, and see what happens.

Also try to disable link-local signalling between non-cisco devices with the ip ospf lls disable interface command. This is recommended in case the device is not in compliance with RFC 2328.

HTH

--Leon

* Please rate ALL posts.

Cisco Employee

Re: OSPF between a Cisco Router and a Checkpoint

The Checkpoint FW probably doesn't support local link signaling (LLS), which is used for the support of NSF. Generally speaking, they should just ignore the extraneous information if they don't support it.

Fortunately, the following knob has been added to disable LLS on the IOS side to interoperate with other vendors not supporting LLS:

router ospf x

no capability lls

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: OSPF between a Cisco Router and a Checkpoint

Set the checkpoints ospf to priority 0. I have checkpoint on nokia platform and they are configured to never ever ever be the designated router. Let the routers be the designated router and life is much better.

Community Member

Re: OSPF between a Cisco Router and a Checkpoint

Working with the Checkpoint vendor, we found the issue. It was a firewall policy that was not allowing packets from the routers through to the firewalls. Following the CheckPoint documentation, the policy was only allowing the multicast addresses, not the specific router IP addresses.

5978
Views
5
Helpful
4
Replies
CreatePlease to create content