IPv6 netstat command within VSX displays the IPv6 routes for all VS

book

Article ID: 167872

calendar_today

Updated On:

Products

XOS

Issue/Introduction

In VSX, running the IPv6 netstat command within a VS context displays the IPv6 routes from all the VS. Use the command 'ip -6 route show' instead of 'netstat -rn -A inet6' to check the routes within a VS context.

If you are using the Check Point VSX application and have IPv6 configured, then running the IPv6 netstat command 'netstat -rn -A inet6' within a particular VS context will display the IPv6 routes not just for that particular VS but for all the VS on the system.


Here is an example:
-----------------------------------
The following command was run from VS 3 context (vsx set 3), which only had the Out.759 interface:

fw_1 (pod5-R03x01): [vs3] ~# netstat -nr -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::1/128                                     ::                                      U     0      1        1 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::203:d2ff:fe00:506/128                 ::                                      U     0      0        1 lo
fe80::203:d2ff:fef1:2105/128                ::                                      U     0      0        1 lo
fe80::203:d2ff:fef1:2205/128                ::                                      U     0      0        1 lo
fe80::203:d2ff:fef1:2305/128                ::                                      U     0      0        1 lo
fe80::203:d2ff:fef1:a105/128                ::                                      U     0      0        1 lo
fe80::/64                                   ::                                      U     256    0        0 eth0
fe80::/64                                   ::                                      U     256    0        0 sync
fe80::/64                                   ::                                      U     256    0        0 mgmt
fe80::/64                                   ::                                      U     256    0        0 In
fe80::/64                                   ::                                      U     256    0        0 Out
ff00::/8                                    ::                                      U     256    0        0 eth0
ff00::/8                                    ::                                      U     256    0        0 sync
ff00::/8                                    ::                                      U     256    0        0 mgmt
ff00::/8                                    ::                                      U     256    0        0 In
ff00::/8                                    ::                                      U     256    0        0 Out
::1/128                                     ::                                      U     0      0        1 lo1
2001:1:1::/64                               2001:751::2                             UG    1024   0        0 Out.751
2001:750::/128                              ::                                      U     0      0        2 lo1
2001:750::1/128                             ::                                      U     0      0        1 lo1
2001:750::/64                               ::                                      U     256    0        0 In.750
2001:751::/128                              ::                                      U     0      0        2 lo1
2001:751::1/128                             ::                                      U     0      20       1 lo1
2001:751::/64                               ::                                      U     256    1        0 Out.751
fe80::/128                                  ::                                      U     0      0        2 lo1
fe80::/128                                  ::                                      U     0      0        2 lo1
fe80::203:d2ff:fef1:2205/128                ::                                      U     0      0        1 lo1
fe80::203:d2ff:fef1:2305/128                ::                                      U     0      0        1 lo1
fe80::/64                                   ::                                      U     256    0        0 In.750
fe80::/64                                   ::                                      U     256    0        0 Out.751
ff00::/8                                    ::                                      U     256    0        0 In.750
ff00::/8                                    ::                                      U     256    0        0 Out.751
::1/128                                     ::                                      U     0      0        1 lo2


::1/128                                     ::                                      U     0      0        1 lo3
::1/128                                     ::                                      U     0      0        1 lo3
2001:759::/128                              ::                                      U     0      0        2 lo3
2001:759::1/128                             ::                                      U     0      0        1 lo3
2001:759::/64                               ::                                      U     256    1        0 Out.759
fe80::/128                                  ::                                      U     0      0        2 lo3
fe80::203:d2ff:fef1:2305/128                ::                                      U     0      0        1 lo3
fe80::/64                                   ::                                      U     256    0        0 Out.759
ff00::/8                                    ::                                      U     256    0        0 Out.759
::/0                                        2001:759::10                            UG    1024   0        0 Out.759
 

Cause

Problem: The netstat command for IPv6 does not account for the VS context of the VSX application.

Resolution

Check Point recommends using 'ip -6 route show' command instead of 'netstat -rn -A inet6' command for VSX application.


Here is the outout of 'ip - route show' command from the VS3 context for the example mentioned in the Symptoms section, above:
---------
fw_1 (pod5-R03x01): [vs3] ~# ip -f inet6 route show
2001:759::/64 dev Out.759  metric 256  vrf 3  expires 21333304sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev Out.759  metric 256  vrf 3  expires 21332448sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev Out.759  metric 256  vrf 3  expires 21332448sec mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:759::10 dev Out.759  metric 1024  vrf 3  expires 21333766sec mtu 1500 advmss 1440 hoplimit 4294967295
fw_1 (pod5-R03x01): [vs3] ~#
---------

Workaround

N/A
Powered by Wolken Software