Security

Maybe anyone has come across this:

A static route is configured in the NSM. Nor in the "Delta config summary" nor in the "Update Device" dialog the routes are displayed. After a "Update Device" the Routes are not in the routing table (it is not a display issue). 

The strange thing: Only patricular subnets are affected. Example:

The following route is displayed in the "Update Device" dialog: 

set vrouter trust-vr route 10.176.0.0/16 interface tunnel.10  preference 20 metric 20 

The following route is not displayed in the "Update Device" dialog:

set vrouter trust-vr route 10.150.0.0/16 interface tunnel.10  preference 20 metric 20

On the device I checked the route with get route, downloaded the config file. However the route which should be added is just not there.

Any help is very appreciated!

In the release notes for 6.2 only the following is noted:

Addressed Issues from ScreenOS 6.2.0r12
687205—"Config datafile" for NSM might not include routes from shared DMZ VR (for vsys) to other vrouters.

But I think the problem we are having is the other way round...

the funny thing is: 

After adding the routes manually to the device the NSM recognizes the difference between the device and the mgmt and tries to delete them during the next update device process. It seems definitely like a NSM issue. The routes are displayed in the GUI but I guess they are missing anywhere in the database.

Case with JTAC opened

JTAC found a workaroundsolution:

Delete all routes for a specific subnet and re-add them. After this the routes are pushed to the device.