https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229415#M44184 <P>You should configure the routers to use the VIP only.<BR />It may take a couple seconds for the ClusterXL failover to occur.</P> Thu, 10 Oct 2024 16:11:47 GMT PhoneBoy 2024-10-10T16:11:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229402#M44178 <P>Hello!</P><P>I configured tunnel from my ASA to Checkpoint Cluster XL.</P><P>All work but I not shure about properly work BGP.</P><P>I configured some router id on each gateways on the cluster (VIP of the internal interfaces)</P><P>Some peer - My ASAs tunnel interface ip</P><P>And on active gateway i see:</P><P>TEST-CHPSG01&gt; show cluster roles</P><P>ID Role</P><P>1 (local) Master<BR />2 Non-Master</P><P>TEST-CHPSG01&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 1 1 Established 2 0 11:19:06</P><P>&nbsp;</P><P>On second:</P><P>Oleg Volkov, [10.10.2024 12:57]<BR />CUDD-CHPSG01&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 1 1 <STRONG>Established</STRONG> 2 0 11:19:06</P><P>Oleg Volkov, [10.10.2024 12:57]<BR />TEST-CHPSG02&gt; show cluster roles</P><P>ID Role</P><P>1 Master<BR />2 (local) Non-Master</P><P>TEST-CHPSG02&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 0 0 <STRONG>Idle</STRONG> 0 0 00:00:00</P><P>&nbsp;</P><P>After I reload active gateway and check BGP session on standby:</P><P>TEST-CHPSG02&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 0 0 <STRONG>Idle</STRONG> 0 0 00:00:00</P><P>Multiple times - <STRONG>Idle</STRONG></P><P><BR />TEST-CHPSG02&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 0 0 <STRONG>Active</STRONG> 0 0 00:00:00</P><P>Multiple times <STRONG>Active</STRONG></P><P><BR />TEST-CHPSG02&gt; show bgp peers</P><P>Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer</P><P>PeerID AS Routes ActRts State InUpds OutUpds Uptime<BR />169.254.129.4 65312 1 1 <STRONG>Established</STRONG> 2 1 00:00:00</P><P>&nbsp;</P><P>And now established.</P><P>I have 3-5 sec (sometimes more) downtime when standby gateway become active</P><P>May be I configured it improperly?</P><P>Second question is the best way to configure dynamic routing beatwen ClusterXL and cisco/Huawei routers. OSPF/IS-IS/BGP?</P><P>What I must do? configure peering to each gateways or to VIP address?</P><P>If to each gateways how Cisco will know about which route is prefer (which gateway is active)?</P><P>Thank You!</P> Thu, 10 Oct 2024 14:32:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229402#M44178 OlegPowerC 2024-10-10T14:32:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229415#M44184 <P>You should configure the routers to use the VIP only.<BR />It may take a couple seconds for the ClusterXL failover to occur.</P> Thu, 10 Oct 2024 16:11:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229415#M44184 PhoneBoy 2024-10-10T16:11:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229438#M44190 <P>Make sure BGP port (tcp/179) is allowed in both directions. It should be allowed for VIP IPs.</P> Fri, 11 Oct 2024 06:05:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229438#M44190 JozkoMrkvicka 2024-10-11T06:05:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229446#M44193 <P>Thank You!</P><P>Can You explain me how I can to switch active gateway without reooting?</P><P>And second question, which protocol do you recommend as IGP with checkpoint for minimal downtime?</P><P>Thank you!</P> Fri, 11 Oct 2024 07:46:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229446#M44193 OlegPowerC 2024-10-11T07:46:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229487#M44198 <P>I believe you can execute the command <STRONG><FONT face="courier new,courier">clusterXL_admin down</FONT></STRONG> to do this (<STRONG><FONT face="courier new,courier">clusterXL_admin up</FONT></STRONG> to reverse it).</P> <P>The choice of an IGP depends on a number of factors.<BR />From what I see on the community, OSPF is probably the most commonly used.</P> Fri, 11 Oct 2024 17:08:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-ClusterXL-and-Cisco-ASA-Failover-cluster-VPN-with-BGP/m-p/229487#M44198 PhoneBoy 2024-10-11T17:08:05Z