https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-packets-use-ISP-router-MAC-instead-of-ISP-HSRP-MAC/m-p/244909#M47673 <P>Hi!</P><P>I have several sites with an R81.10 cluster (active/standby), two switches and two ISP routers.</P><P>These routers are configured with HSRP.</P><DIV class=""><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ISP connection.JPG" style="width: 200px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30036iE3ED508FF3CF97F8/image-size/small?v=v2&amp;px=200" role="button" title="ISP connection.JPG" alt="ISP connection.JPG" /></span></DIV><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When the ISP router sends packets, the source MAC is always the router MAC.</P><P>When the firewall is sending traffic to the internet, the HSRP MAC of the ISP router is used as a destination.</P><P>Exception: when the firewall is sending ESP packets with protocol "UDP (17)" (looks like the actual VPN data packets for Site2Site and Client2Site connections), then the MAC of the actual router is used as a&nbsp;destination.</P><P>Is this an expected behaviour or can it be influenced?</P><P>&nbsp;</P><P>The issue with this is: In case of a router failure, the traffic will be send to a dead MAC.</P><P>And as we also have a site with ISP load-sharing, the traffic might be sent directly to the secondary router. If then the switch in the path is restarted, the VPN tunnels also suffer.</P><P>Thanks in advance for some insights!</P><P>&nbsp;</P><P>EDIT: Through the support portal I now found this&nbsp;<A href="https://community.checkpoint.com/t5/Management/vpn-r80-20-vsx/m-p/15269#M2805" target="_blank">vpn r80.20 vsx - Check Point CheckMates</A>, looks quite similar. Will look at it tomorrow, it didn´t come up in the Community website search.</P> Wed, 26 Mar 2025 20:20:52 GMT Robin_H 2025-03-26T20:20:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-packets-use-ISP-router-MAC-instead-of-ISP-HSRP-MAC/m-p/244909#M47673 <P>Hi!</P><P>I have several sites with an R81.10 cluster (active/standby), two switches and two ISP routers.</P><P>These routers are configured with HSRP.</P><DIV class=""><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ISP connection.JPG" style="width: 200px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30036iE3ED508FF3CF97F8/image-size/small?v=v2&amp;px=200" role="button" title="ISP connection.JPG" alt="ISP connection.JPG" /></span></DIV><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When the ISP router sends packets, the source MAC is always the router MAC.</P><P>When the firewall is sending traffic to the internet, the HSRP MAC of the ISP router is used as a destination.</P><P>Exception: when the firewall is sending ESP packets with protocol "UDP (17)" (looks like the actual VPN data packets for Site2Site and Client2Site connections), then the MAC of the actual router is used as a&nbsp;destination.</P><P>Is this an expected behaviour or can it be influenced?</P><P>&nbsp;</P><P>The issue with this is: In case of a router failure, the traffic will be send to a dead MAC.</P><P>And as we also have a site with ISP load-sharing, the traffic might be sent directly to the secondary router. If then the switch in the path is restarted, the VPN tunnels also suffer.</P><P>Thanks in advance for some insights!</P><P>&nbsp;</P><P>EDIT: Through the support portal I now found this&nbsp;<A href="https://community.checkpoint.com/t5/Management/vpn-r80-20-vsx/m-p/15269#M2805" target="_blank">vpn r80.20 vsx - Check Point CheckMates</A>, looks quite similar. Will look at it tomorrow, it didn´t come up in the Community website search.</P> Wed, 26 Mar 2025 20:20:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-packets-use-ISP-router-MAC-instead-of-ISP-HSRP-MAC/m-p/244909#M47673 Robin_H 2025-03-26T20:20:52Z