In VSX, running the IPv6 netstat command within a VS context displays the IPv6 routes from all the VS. Use the command 'ip -6 route show' instead of 'netstat -rn -A inet6' to check the routes within a VS context.
If you are using the Check Point VSX application and have IPv6 configured, then running the IPv6 netstat command 'netstat -rn -A inet6' within a particular VS context will display the IPv6 routes not just for that particular VS but for all the VS on the system.
Here is an example:
-----------------------------------
The following command was run from VS 3 context (vsx set 3), which only had the Out.759 interface:
fw_1 (pod5-R03x01): [vs3] ~# netstat -nr -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::1/128 :: U 0 1 1 lo
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::203:d2ff:fe00:506/128 :: U 0 0 1 lo
fe80::203:d2ff:fef1:2105/128 :: U 0 0 1 lo
fe80::203:d2ff:fef1:2205/128 :: U 0 0 1 lo
fe80::203:d2ff:fef1:2305/128 :: U 0 0 1 lo
fe80::203:d2ff:fef1:a105/128 :: U 0 0 1 lo
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 sync
fe80::/64 :: U 256 0 0 mgmt
fe80::/64 :: U 256 0 0 In
fe80::/64 :: U 256 0 0 Out
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 sync
ff00::/8 :: U 256 0 0 mgmt
ff00::/8 :: U 256 0 0 In
ff00::/8 :: U 256 0 0 Out
::1/128 :: U 0 0 1 lo1
2001:1:1::/64 2001:751::2 UG 1024 0 0 Out.751
2001:750::/128 :: U 0 0 2 lo1
2001:750::1/128 :: U 0 0 1 lo1
2001:750::/64 :: U 256 0 0 In.750
2001:751::/128 :: U 0 0 2 lo1
2001:751::1/128 :: U 0 20 1 lo1
2001:751::/64 :: U 256 1 0 Out.751
fe80::/128 :: U 0 0 2 lo1
fe80::/128 :: U 0 0 2 lo1
fe80::203:d2ff:fef1:2205/128 :: U 0 0 1 lo1
fe80::203:d2ff:fef1:2305/128 :: U 0 0 1 lo1
fe80::/64 :: U 256 0 0 In.750
fe80::/64 :: U 256 0 0 Out.751
ff00::/8 :: U 256 0 0 In.750
ff00::/8 :: U 256 0 0 Out.751
::1/128 :: U 0 0 1 lo2
::1/128 :: U 0 0 1 lo3
::1/128 :: U 0 0 1 lo3
2001:759::/128 :: U 0 0 2 lo3
2001:759::1/128 :: U 0 0 1 lo3
2001:759::/64 :: U 256 1 0 Out.759
fe80::/128 :: U 0 0 2 lo3
fe80::203:d2ff:fef1:2305/128 :: U 0 0 1 lo3
fe80::/64 :: U 256 0 0 Out.759
ff00::/8 :: U 256 0 0 Out.759
::/0 2001:759::10 UG 1024 0 0 Out.759
Problem: The netstat command for IPv6 does not account for the VS context of the VSX application.
Check Point recommends using 'ip -6 route show' command instead of 'netstat -rn -A inet6' command for VSX application.
Here is the outout of 'ip - route show' command from the VS3 context for the example mentioned in the Symptoms section, above:
---------
fw_1 (pod5-R03x01): [vs3] ~# ip -f inet6 route show
2001:759::/64 dev Out.759 metric 256 vrf 3 expires 21333304sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev Out.759 metric 256 vrf 3 expires 21332448sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev Out.759 metric 256 vrf 3 expires 21332448sec mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:759::10 dev Out.759 metric 1024 vrf 3 expires 21333766sec mtu 1500 advmss 1440 hoplimit 4294967295
fw_1 (pod5-R03x01): [vs3] ~#
---------