topic Re: Duel Ipsec route based tunnel to Azure with BGP enabled in Firewall and Security Management

Duel Ipsec route based tunnel to Azure with BGP enabled

sreekanthvijay — Wed, 13 Apr 2022 13:42:10 GMT

Hi All ,

im looking for some document related to setup duel ipsec tunnel from check point 3200 model firewall to Azure with BGP enabled for automatic failover .

Can some one share the KB or related article regarding this

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

PhoneBoy — Wed, 20 Apr 2022 23:30:48 GMT

Did you try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk176249&partition=Basic&product=CloudGuard

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

sreekanthvijay — Sat, 17 Sep 2022 14:12:39 GMT

Hi ,

We are not using Vwan vpn gateway in azure , it is normal vpn gateway in azure and we are able to establish two tunnel with bgp to azure and we have created specific route map for traffic selection path , the problem what we are facing is when the tunnel and bgp is up and it runs with out any problem for some hour after that one of the bgp goes to active state and we need to reset the tunnel in azure side for bgp to come up again and same thing happens for other tunnel also , so if we didn’t monitor it after certain time bgp towards azure for both vti becomes active and impact the production . In our side we have 3100 with cluster … Please suggest

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

Blason_R — Sun, 18 Sep 2022 03:59:45 GMT

The information seems to be very less.

How many ISPs you have on your firewall? Is this a VTI based tunnel or? Did you configure to tunnels from same ISP?

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

sreekanthvijay — Sun, 18 Sep 2022 07:46:52 GMT

Hi ,

we have two ISP and each tunnel is established on two different ISP to azure and uses BGP between azure and check point vti

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

Blason_R — Sun, 18 Sep 2022 07:57:59 GMT

This is surprising!! You can not configure two IPsec tunnels on two ISP since Check Point will not accept. You can define VPN listening interface and then configure the tunnel. However you can define multiple tunnels from same IP to two different Azure instances and then configure BGP over IPsec.

I tried this multiple times since Check Point does not accept the tunnels on different interfaces hence I had to accommodate different solution and introduce router where tunnels are terminated and then configured BGP.

May be try running BGP traces however my gut feeling is - This is purely a IPsec issue since the peer goes into Active State in sometime.

What is the ouput of show bgp paths

show route bgp show bgp peer <FIRsTPEER> advertise show bgp peer <secondPEER> advertise show bgp peer <FIRsTPEER> received show bgp peer <secondPEER> received

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

sreekanthvijay — Sun, 18 Sep 2022 19:13:31 GMT

Hi Balson ,

We don't have any problem for BGP advertise and received since that we have strictly controlled over the route maps and it is working as expected..

We have one problem is , after certain time one of the BGP peers which is going to azure is going to active state and it is not able to establish the connection until we reset the tunnel from Azure end ,

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime

10.250.4.4 65522 0 0 Active 0 0 00:00:00
10.250.4.5 65522 9 2 Established 2 2 00:35:08

In the above o/p 4.4 is the secondary tunnel to Azure and 4.5 is the primary one .Do you know how we can stop this and BGP to automatically establish the connection when the SA timer expired.

Re: Duel Ipsec route based tunnel to Azure with BGP enabled

Blason_R — Mon, 19 Sep 2022 04:54:46 GMT

What does BGP Trace logs shows sk101399