Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10799
Views
5
Helpful
4
Replies

OSPF between a Cisco Router and a Checkpoint

jfarrer
Level 1
Level 1

‎10-11-2006 10:01 PM - edited ‎03-05-2019 12:12 PM

I am trying to establish OSPF between two Cisco routers and an HA configured pair of Checkpoint firewalls the reside on the same LAN segment. The two routers form a good adjacency, but the routers will not form an adjacency to the Checkpoints. The neighbor status shows exstart/drother, then go down, then back to exstart/drother. We have verified the MTU sizes and hello, dead, wait and retransmit times are the same. I am showing sent and received packets from the Checkpoints. Has anyone had this issue?

Thanks,

Jack

Labels:
0 Helpful
4 Replies 4

leonvd79
Level 4
Level 4

‎10-11-2006 10:30 PM

Hello Jack,

Since the router is stuck in exstart stage, I suspect MTU.

However the MTU of both systems match, I have seen adjacencies between Cisco switches and routers fail because of this.

Try thee ip ospf ignore-mtu interface command, and see what happens.

Also try to disable link-local signalling between non-cisco devices with the ip ospf lls disable interface command. This is recommended in case the device is not in compliance with RFC 2328.

HTH

--Leon

* Please rate ALL posts.

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee

‎10-12-2006 03:24 AM

The Checkpoint FW probably doesn't support local link signaling (LLS), which is used for the support of NSF. Generally speaking, they should just ignore the extraneous information if they don't support it.

Fortunately, the following knob has been added to disable LLS on the IOS side to interoperate with other vendors not supporting LLS:

router ospf x

no capability lls

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

kendallp
Level 1
Level 1
In response to Harold Ritter

‎10-24-2006 06:43 PM

Set the checkpoints ospf to priority 0. I have checkpoint on nokia platform and they are configured to never ever ever be the designated router. Let the routers be the designated router and life is much better.

0 Helpful

jfarrer
Level 1
Level 1
In response to kendallp

‎11-14-2006 11:13 AM

Working with the Checkpoint vendor, we found the issue. It was a firewall policy that was not allowing packets from the routers through to the firewalls. Following the CheckPoint documentation, the policy was only allowing the multicast addresses, not the specific router IP addresses.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card