We have a Netscreen firewall in the lab running ScreenOS 5.4.0, which is interfaces with other firewalls via tunnels and there is dynamic routing via BGP and RIP involved. I configured an IP Summary of 172.16.0.0/12 on the firewall (within the RIP instance), as it receives several hundred subnets within 172.16.0.0/12 that I want to summarize to the remote (branch office) firewalls.
What I found is that if the firewall no longer receives dynamic route updates for any 172.16.0.0/12 subnet, it will still continue to advertise 172.16.0.0/12 in its RIP advertisements to the remote firewalls. As a result, the remote offices still send traffic for a
172.16/12 subnet to the firewall, which ends up black-holing it. Mind you, the firewall that the IP Summary is on does not have any interfaces within a 172.16/12 space.Is this a "feature" or a bug in ScreenOS (I could not find any bug report for this)? Is there a way to implement summarization on the firewall so that if it no longer "sees" any advertisements for 172.16/12 subnets, it will no longer send a RIP adv for 172.16.0.0/12?
---john