Troubleshooting Dynamic Routing (routed) Pnote

In R76, Check Point added a new ClusterXL Pnote called routed that monitors the state of the Dynamic Routing for Gaia clusters. This Pnote makes sure that traffic is not assigned to a Cluster Member before it is ready to handle the traffic. The Gaia RouteD daemon handles all routing (static and dynamic) operations.

There can be an issue with Dynamic Routing that shows one or more of these symptoms:

• Cluster IP address connectivity problems
• Unexpected failovers
• The Gaia Clish command show cluster members pnotes (or Expert mode command cphaprob list) shows that the current state of the Critical Device routed is problem:

  Device Name: routed
Registration number: 4
Timeout: none
Current state: problem

These are some of the common causes of this issue:

• Cluster misconfiguration
• Traffic on TCP port 2010 between Cluster Members is blocked by the Firewall
• The RouteD daemon did not get all of its routes
• The RouteD daemon did not start correctly

Standard RouteD Pnote Behavior

Typically, the routed Pnote reports its current state as Problem when:

• A Cluster Member fails over
• A Cluster Member reboots
• There is an inconsistency in the Dynamic Routing configuration on Cluster Members

The routed Pnote reports its state as Ok when:

• A ClusterXL member tells the RouteD daemon that it is a Master
• The RouteD daemon gets the entire routing state from the Master

Basic Troubleshooting Steps

1. To make sure that your cluster and member interfaces are configured correctly, run:
   • In Gaia Clish:

     show cluster members interfaces {all | secured | virtual | vlans}

     Or

   • In Expert mode:

     cphaprob [-a] [-m] if

2. Generate RouteD cluster messages. Run in Expert mode:

   dbset routed:instance:default:traceoptions:traceoptions:Cluster

   Examine the /var/log/routed/log file.

3. Make sure that Firewall rules do not block traffic on TCP port 2010 between the Cluster Members.
4. Make sure that the RouteD daemon is running on the Active member.
5. Look for a router-id mismatch in the OSPF configuration.
6. Make sure that the OSPF interface is up on the Standby member.

For advanced troubleshooting procedures and more information, see sk92787.

For troubleshooting OSPF and the RouteD daemon, see sk84520.