topic Re: ClusterXL does can not connect to the ISP Gateway in Firewall and Security Management

ClusterXL does can not connect to the ISP Gateway

Choijilsuren_Ba — Thu, 28 Sep 2017 13:45:03 GMT

My ClusterXL is working Load Sharing Multicast Mode but can not connect to the ISP. There is connected switch between CsusterXL and ISP. ClusterXL can connect to other devices. How to configure the ISP device or ClusterXL. The switch between the ISP and ClustrXL is Cisco catalyst 2960X. Distributed deployment and Security gateway is GAIA R80.10, Management is GAIA R80.10

Re: ClusterXL does can not connect to the ISP Gateway

Danny — Thu, 28 Sep 2017 20:18:49 GMT

Try using Load Sharing Unicast Mode and check if your ClusterXL gateways can then reach your ISP router. If that is the case, switch back to Multicast Mode and troubleshoot the Multicast configuration on your switch between the firwall cluster and the ISP router.

Re: ClusterXL does can not connect to the ISP Gateway

PhoneBoy — Thu, 28 Sep 2017 20:34:40 GMT

Define "cannot connect to ISP" -- by what method are you determining this?

Have you:

Verified you can ping the default route from both cluster members? (Verifies basic connectivity)
Verified you can ping one hop up from the default route (determines you've set up routing correctly)

The more details you can provide about your environment, what you've tried, what you expected, and what results you got, the more helpful the community can be.

Re: ClusterXL does can not connect to the ISP Gateway

Choijilsuren_Ba — Fri, 29 Sep 2017 01:33:25 GMT

ClusterXL is currently working production. Therefore can not moved Load sharing Unicast mode. ClusterXL is can working other cluster interfaces. Other Cluster interfaces is working normally.

Re: ClusterXL does can not connect to the ISP Gateway

Choijilsuren_Ba — Fri, 29 Sep 2017 02:20:05 GMT

Default route configured both cluster members but can not ping to ISP gateway.

Example topology:

can ping from VIP:1.1.1.4 to 1.1.1.5 and 2.2.2.2. can not ping from VIP: 1.1.1.4 to 1.1.1.1

Re: ClusterXL does can not connect to the ISP Gateway

PhoneBoy — Fri, 29 Sep 2017 04:35:03 GMT

That looks suspiciously like this configuration (and this problem): https://community.checkpoint.com/message/8899-re-how-to-configure-external-interface-in-clusterxl?commentID=8899#comment…

In fact, the network diagram looks nearly identical to the linked thread.

It may be a coincidence, of course.

To verify it is NOT a Check Point problem:

fw unloadlocal on one of the cluster members (this unloads the firewall policy)
Attempt to ping the ISP gateway from the same cluster member

If you can not ping the ISP gateway in this situation, then it's unlikely to be a Check Point issue (or it could be a basic networking issue).

If you can ping the ISP gateway in this situation, then:

fw fetch localhost to reload the policy to the cluster member
Open a second ssh session to the cluster member
Attempt to ping the ISP gateway from one session while running tcpdump on the other.

If you can see ping packets leave your gateway and responses not come back, then it's likely an issue with your switch configuration.

If you can see ping packets come back and the ping is not successful, then it might be a Check Point configuration issue and I recommend working with the Check Point TAC: Contact Support | Check Point Software

If none of this makes any sense, I strongly suggest working with your local Check Point partner or SE who can work with you one on one.

If you need a pointer to who to contact, please send me a private message and I will connect you.