https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252941#M1171 <P>Ah, I see what you are saying. Thats true, we can always do that, but we would definitely prefer that process be documented somewhere officially, so there is no ambiguity.</P> <P>Anywho, lets see what SE says : - )</P> <P>Thanks Val as always!</P> <P>Andy</P> Thu, 10 Jul 2025 12:23:45 GMT the_rock 2025-07-10T12:23:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252716#M1165 <P>Hey guys,</P> <P>Figured would share this, since my colleague and I spent lots of hours into testing this with BGP for a client that purchased SASE solution. Since sd-wan is not supported yet and we dont have an idea when it will be with sase, we made it work where redundant vpn tunnels work flawlessly with BGP implemented.</P> <P>Guide:</P> <P><A href="https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SASE-Admin-Guide/Content/Topics-SASE-IPsec-VPN/On-premises/ConfiguringCheckPointRedundantIPSecTunnel.htm?tocpath=Networks%7CIntegrating%20On-premises%20Firewall%20%252F%20Router%20or%20Cloud%20based%20Resources%7COn-premises%20Firewall%20-%20Configuring%20the%20Tunnel%20in%20the%20Management%20Portal%7C_____5" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SASE-Admin-Guide/Content/Topics-SASE-IPsec-VPN/On-premises/ConfiguringCheckPointRedundantIPSecTunnel.htm?tocpath=Networks%7CIntegrating%20On-premises%20Firewall%20%252F%20Router%20or%20Cloud%20based%20Resources%7COn-premises%20Firewall%20-%20Configuring%20the%20Tunnel%20in%20the%20Management%20Portal%7C_____5</A></P> <P>But, the way to make this work 100% is NOT to set it where you have CP cluster as center gw and interoperable objects presenting sase pops as satellite, but the other way around, where interoperable ones are center and CP is satellite and then you enable MEP and choose middle option (default one, closest choise) in vpn community (should be configured as star)</P> <P>This works without issues. We will actually show this to CP sase expert, as well as SE guy when we have a call with them, so documentation can be hopefully modified to reflect that, as it would save lots of time for others trying to do the same.</P> <P>We are using BGP per overlay, since we found works better that way, mind you, using BGP loopback interface does offer better scalability.</P> <P>Happy to share any screenshots if needed.</P> <P>Best,</P> <P>Andy</P> Mon, 07 Jul 2025 23:30:04 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252716#M1165 the_rock 2025-07-07T23:30:04Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252911#M1166 <P>Do share the screenshots <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 10 Jul 2025 08:15:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252911#M1166 _Val_ 2025-07-10T08:15:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252931#M1167 <P>Since we want to make sure this would be officially supported by CP, we asked our SE if sk could be written about it, or at least included in the documentation. Obviously, we dont want client to have an issue say a year from today and then we are told by TAC this is not supported...anyway, lets see what comes out of that, but regardless, screenshots attached : - )</P> <P>Andy</P> Thu, 10 Jul 2025 11:49:42 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252931#M1167 the_rock 2025-07-10T11:49:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252937#M1168 <P>Or you can ask TAC about the support status. It is considered an official answer.</P> Thu, 10 Jul 2025 11:59:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252937#M1168 _Val_ 2025-07-10T11:59:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252938#M1169 <P>Speaking of that, we figured it would be best to go through our SE, but if you have an email or contact I could present this to, that would work as well.</P> <P>Thanks Val.</P> <P>Andy</P> Thu, 10 Jul 2025 12:01:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252938#M1169 the_rock 2025-07-10T12:01:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252940#M1170 <P>What I mean, you can open a TAC ticket to ask about the support status.</P> Thu, 10 Jul 2025 12:21:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252940#M1170 _Val_ 2025-07-10T12:21:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252941#M1171 <P>Ah, I see what you are saying. Thats true, we can always do that, but we would definitely prefer that process be documented somewhere officially, so there is no ambiguity.</P> <P>Anywho, lets see what SE says : - )</P> <P>Thanks Val as always!</P> <P>Andy</P> Thu, 10 Jul 2025 12:23:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-sase-vpn-redundant-vpn-tunnel-tip/m-p/252941#M1171 the_rock 2025-07-10T12:23:45Z