https://community.checkpoint.com/t5/Firewall-and-Security-Management/1200R-High-availability-SSL-VPN-Routing-between-primary-and/m-p/117125#M16521 <P>Pretty sure this is working as expected. You cannot terminate SSL VPN on a standby member and expect it to work. On the LAN side, all traffic goes to active member only.<BR /><BR />I would suggest some DNS script that would stick SSL VPN GW FQND to active member only, then you could go by name and not IP, ending up on Active only.&nbsp;<BR /><BR />I also believe this connectivity on ISP side not supported. You need to configure two ISP links on each box and use ISP redundancy</P> Wed, 28 Apr 2021 07:59:19 GMT _Val_ 2021-04-28T07:59:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/1200R-High-availability-SSL-VPN-Routing-between-primary-and/m-p/117116#M16518 <P>Hi All,</P><P>&nbsp;</P><P>We have been running into issues with a deployment of a remote access vpn on two Checkpoing 1200R Devices.&nbsp; The below mudmap gives you an idea of our setup. Two firewalls externally attached to two different ISPs with static addresses</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="mudmap.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11548iB875CF71F7B699F5/image-size/medium?v=v2&amp;px=400" role="button" title="mudmap.png" alt="mudmap.png" /></span></P><P>&nbsp;</P><P>The issues i am&nbsp; running into is:</P><OL><LI>finding the SSL webpage very often fails to "upgrade" the connection into a VPN connection even with valid credentials using a known working configuration and the only solution is to retry until it works, this is our biggest issue as this is a remote industrial site and having highly available remote access is critical.&nbsp;</LI><LI>If FW1 is Primary and Active, connecting to the SSL vpn via FW2 static ip will succeed but will not route traffic back from the local LAN (same situation for FW1 when FW2 is Active)</LI><LI>We are using Active directory for VPN authentication and have two domain controllers onsite. The appliance local management configuration interface only allows for one domain controller to be setup. Therefore if we have a failure of the primary DC we lose vpn connectivity.</LI></OL><P>&nbsp;</P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Wed, 28 Apr 2021 06:12:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/1200R-High-availability-SSL-VPN-Routing-between-primary-and/m-p/117116#M16518 kyle 2021-04-28T06:12:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/1200R-High-availability-SSL-VPN-Routing-between-primary-and/m-p/117125#M16521 <P>Pretty sure this is working as expected. You cannot terminate SSL VPN on a standby member and expect it to work. On the LAN side, all traffic goes to active member only.<BR /><BR />I would suggest some DNS script that would stick SSL VPN GW FQND to active member only, then you could go by name and not IP, ending up on Active only.&nbsp;<BR /><BR />I also believe this connectivity on ISP side not supported. You need to configure two ISP links on each box and use ISP redundancy</P> Wed, 28 Apr 2021 07:59:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/1200R-High-availability-SSL-VPN-Routing-between-primary-and/m-p/117125#M16521 _Val_ 2021-04-28T07:59:19Z