I am trying to establish OSPF between two Cisco routers and an HA configured pair of Checkpoint firewalls the reside on the same LAN segment. The two routers form a good adjacency, but the routers will not form an adjacency to the Checkpoints. The neighbor status shows exstart/drother, then go down, then back to exstart/drother. We have verified the MTU sizes and hello, dead, wait and retransmit times are the same. I am showing sent and received packets from the Checkpoints. Has anyone had this issue?
The Checkpoint FW probably doesn't support local link signaling (LLS), which is used for the support of NSF. Generally speaking, they should just ignore the extraneous information if they don't support it.
Fortunately, the following knob has been added to disable LLS on the IOS side to interoperate with other vendors not supporting LLS:
router ospf x
no capability lls
Hope this helps,
Harold Ritter Sr. Technical Leader CCIE 4168 (R&S, SP) email@example.com México móvil: +52 1 55 8312 4915 Cisco México Paseo de la Reforma 222 Piso 19 Cuauhtémoc, Juárez Ciudad de México, 06600 México
Set the checkpoints ospf to priority 0. I have checkpoint on nokia platform and they are configured to never ever ever be the designated router. Let the routers be the designated router and life is much better.
Working with the Checkpoint vendor, we found the issue. It was a firewall policy that was not allowing packets from the routers through to the firewalls. Following the CheckPoint documentation, the policy was only allowing the multicast addresses, not the specific router IP addresses.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...