Comments on: SPLAT – dynamic routing http://www.kuncar.net/blog/splat-dynamic-routing/2010/ Sat, 03 Dec 2011 23:57:52 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: tnk http://www.kuncar.net/blog/splat-dynamic-routing/2010/comment-page-1/#comment-755 tnk Sat, 03 Dec 2011 23:57:52 +0000 http://www.kuncar.net/blog/?p=430#comment-755 Hi Dash,<br /> sorry for such a long delay in my reply. <br /> First thing I would like to say is that it has been quite some time since I've done this and I no longer play with Checkpoint but I think I do understand what is the reason of your problem. <br /> The first thing is that OSPF is part of the routing which is more or less part of the operating system (RHEL) whereas HA is a proprietary protocol done independently from the OS somewhere in checkpoint logic. In the R70 which is the last one I have actively worked with those two parts were separate and the only thing they had in common was the configuration interface in SPLAT. <br /> My understanding is that the HA is basically meant to be used in some conjunction with something like link aggregation protocol more than with a routing protocol as that is the only way you can get a fast switch-over (except cisco's GLBP but that is not an option with checkpoint as far as I know). As for OSPF - in normal configuration you cannot have two active paths (uplinks) at the same time as one path will be always deemed inferior by the calculation and not used. There are some things you can possibly do (not sure how much is possible on SPLAT though) <br /> 1) Tweak the timers to be extremely low which will give you a decent switchover times (but nowhere close to AH's time)<br /> 2) Have the OSPF main process bound to a loopback interface so it will not do the whole convergence process if one interface goes down (I assume you already have that)<br /> <br /> I know this is fairly generic answer but unless I know more details I don't think I can help more.<br /> BR<br /> Hi Dash,
sorry for such a long delay in my reply.
First thing I would like to say is that it has been quite some time since I’ve done this and I no longer play with Checkpoint but I think I do understand what is the reason of your problem.
The first thing is that OSPF is part of the routing which is more or less part of the operating system (RHEL) whereas HA is a proprietary protocol done independently from the OS somewhere in checkpoint logic. In the R70 which is the last one I have actively worked with those two parts were separate and the only thing they had in common was the configuration interface in SPLAT.
My understanding is that the HA is basically meant to be used in some conjunction with something like link aggregation protocol more than with a routing protocol as that is the only way you can get a fast switch-over (except cisco’s GLBP but that is not an option with checkpoint as far as I know). As for OSPF – in normal configuration you cannot have two active paths (uplinks) at the same time as one path will be always deemed inferior by the calculation and not used. There are some things you can possibly do (not sure how much is possible on SPLAT though)
1) Tweak the timers to be extremely low which will give you a decent switchover times (but nowhere close to AH’s time)
2) Have the OSPF main process bound to a loopback interface so it will not do the whole convergence process if one interface goes down (I assume you already have that)

I know this is fairly generic answer but unless I know more details I don’t think I can help more.
BR

]]> By: Dash Rendar http://www.kuncar.net/blog/splat-dynamic-routing/2010/comment-page-1/#comment-744 Dash Rendar Fri, 04 Nov 2011 12:29:16 +0000 http://www.kuncar.net/blog/?p=430#comment-744 Hi, excellent article, thanks. Could you possibly expand upon this and show best practice in setting up OSPF on an HA Pair? We have done this to the best of our abilities, on both Power1s and VSXs however when the Active Firewall reboots, the Routing table is not synchronised across and the Standby Firewall has to go through the whole OSPF convergence process again, which takes quite some time due to the number of routes on our core network. This effectively negates the whole point of HA, as by the time the CP has learnt all the routes from OSPF, the TCP sessions running through it have all timed out. Many thanks, Dash Hi, excellent article, thanks.

Could you possibly expand upon this and show best practice in setting up OSPF on an HA Pair?

We have done this to the best of our abilities, on both Power1s and VSXs however when the Active Firewall reboots, the Routing table is not synchronised across and the Standby Firewall has to go through the whole OSPF convergence process again, which takes quite some time due to the number of routes on our core network.

This effectively negates the whole point of HA, as by the time the CP has learnt all the routes from OSPF, the TCP sessions running through it have all timed out.

Many thanks,
Dash

]]> By: 黑帽SEO http://www.kuncar.net/blog/splat-dynamic-routing/2010/comment-page-1/#comment-499 黑帽SEO Wed, 12 May 2010 22:35:11 +0000 http://www.kuncar.net/blog/?p=430#comment-499 great share, great article, very usefull for me...thank you great share, great article, very usefull for me…thank you

]]>