Add Anti-Spoofing Group and OSPF Neighbor broken

[hanren]

We've recently encountered an issue on OSPF. As briefed below:

FW Version:
[Expert@fw1]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R60) HFA_03, Hotfix 603 - Build 015

The OSPF setting is well configured and able to see and exchange the neighbor in database in the first time setup. Two days ago, my client have added a new corporate customer IP on EC router with IP as follows:

192.168.232.251 and 192.168.232.252

For the new APN Pools is 10.3.2.0/24 rule set has been added as:

Source : Besi_10.3.2.0_24
Destination: 192.168.232.251 and 192.168.232.252
Services: icmp_requests

1) When first time my client did a ping from 10.3.2.x to 192.168.232.251/252, the ping is dropped by FW due to 'Address Spoofing' on interface eth6 (this interface has been reserved for OSPF purpose).

2) So, I included and specified Besi_10.3.2.0_24 as 'Anti-Spoofing' group and push the topology again. The 'Anti-spoofing' message has gone and able to ping via FW to 192.168.232.252.

3) After a minute or so, the neighbor that were shown in the OSPF database was gone/broken. The core switch and other routers can't see the FW any longer in the OSPF database.

4) I then removed the anti-spoofing group from the topology, and it is strange that all the neighbor came back again.

Any ideas? How to resolve? thanks.

[hanren]

Hi all,

I found the answer, just to add all the neighbor found (show ip ospf database) in the anti-spoofing group and push the policy again, then the neighbor will come back.