https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/92930#M7178 <P>Hello All,</P><P>Issue - Fail over is not working in dual ISP setup.</P><P>Issue Description - We have attached setup in our environment and while trying to do a fail over towards secondary ISP. We observed that old connections are still trying to exit out from primary (Down ISP) and in debug I am getting interface inactive.&nbsp;</P><P>What I observer that if we reset the connection from user end or connection get clear from connection table, then it will go via secondary ISP.&nbsp;</P><P>The thing is this behaviour looks ok with http/https traffic.&nbsp;</P><P>But IPSec and GRE traffic is causing major issue.&nbsp;</P><P>We have 2 different routers behind the firewall trying to communicate internet using IPSec and GRE and we have probing mechanism enabled. So when primary ISP goes down this traffic still trying to go out via primary ISP and due to probing, connection table on the firewall will get automatically refresh.&nbsp;</P><P>&nbsp;</P><P>Logs after failover done to secondary ISP&nbsp;</P><P>++</P><P>;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048 dropped by misp_rt_chain Reason: Interface is inactive;<BR />;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048 dropped by misp_rt_chain Reason: Interface is inactive;<BR />;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048</P><P> </P><P>dropped by misp_rt_chain Reason: Interface is inactive;</P><P>++</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DUal ISP.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/7435i1D635C593CFE4434/image-size/medium?v=v2&amp;px=400" role="button" title="DUal ISP.png" alt="DUal ISP.png" /></span></P> Thu, 30 Jul 2020 20:55:17 GMT amdhim0004 2020-07-30T20:55:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/92930#M7178 <P>Hello All,</P><P>Issue - Fail over is not working in dual ISP setup.</P><P>Issue Description - We have attached setup in our environment and while trying to do a fail over towards secondary ISP. We observed that old connections are still trying to exit out from primary (Down ISP) and in debug I am getting interface inactive.&nbsp;</P><P>What I observer that if we reset the connection from user end or connection get clear from connection table, then it will go via secondary ISP.&nbsp;</P><P>The thing is this behaviour looks ok with http/https traffic.&nbsp;</P><P>But IPSec and GRE traffic is causing major issue.&nbsp;</P><P>We have 2 different routers behind the firewall trying to communicate internet using IPSec and GRE and we have probing mechanism enabled. So when primary ISP goes down this traffic still trying to go out via primary ISP and due to probing, connection table on the firewall will get automatically refresh.&nbsp;</P><P>&nbsp;</P><P>Logs after failover done to secondary ISP&nbsp;</P><P>++</P><P>;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048 dropped by misp_rt_chain Reason: Interface is inactive;<BR />;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048 dropped by misp_rt_chain Reason: Interface is inactive;<BR />;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=47 65.**.**.123:0 -&gt; 165.**.**.12:2048</P><P> </P><P>dropped by misp_rt_chain Reason: Interface is inactive;</P><P>++</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DUal ISP.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/7435i1D635C593CFE4434/image-size/medium?v=v2&amp;px=400" role="button" title="DUal ISP.png" alt="DUal ISP.png" /></span></P> Thu, 30 Jul 2020 20:55:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/92930#M7178 amdhim0004 2020-07-30T20:55:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/197604#M36915 <P>Hi Amdhim0004&nbsp;</P><P>&nbsp;Myself too getting the same issue, Did you got the solution on this.</P><P>Please assist me to solve this.</P><P>Thanks</P><P>Rajkumar T</P> Thu, 09 Nov 2023 15:00:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/197604#M36915 vijayakumar_M 2023-11-09T15:00:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/197781#M36956 <P>Need to add one route for Monitoring from Secondary ISP.</P><P>Set next hope as Secondary ISP gateway IP address.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>Amandeep</P> Mon, 13 Nov 2023 08:33:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DUAL-ISP-fail-over-is-not-working-found-some-strange-behaviour/m-p/197781#M36956 amdhim0004 2023-11-13T08:33:13Z