This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cmale
Explorer
‎2026-03-17 06:54 AM

ISP Redundancy Load Sharing

Good morning,

I am currently running Cluster XL with two 9100s with ISP Redundancy - Load Sharing (50/50) and ran into an issue.

Both of my BGP links are showing 'Established' and both links are showing 'OK'. However, I wanted to test ISP Redundancy, so I powered off my standby appliance and unplugged ISP Link A from the Active and I could not resolve DNS. Internet was lost.

From my understanding, when one ISP Link goes down, the other should take over 100%. This obviously did not happen. 

Anything in particular I should look into?

Thank you.

0 Kudos
8 Replies
simonemantovani
MVP Gold
MVP Gold
‎2026-03-17 06:59 AM

Hello

could you provide some diagram about your network configuration? Just to understand your configuration (routing, interfaces, bgp and so on).

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-03-17 08:31 AM

When you perform manual failover to backup ISP it works? So active/standby. How did you resolve DNS, from client or fw itself? Did the logging showed it did a failover? (Smartlog / var/log/messages)

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
cmale
Explorer
‎2026-03-18 05:21 AM
In response to Lesley

No. I took the standby appliance offline, and then on the active appliance, I remove the link for ISP A. Theoretically, ISP B should have taken over, but at that point, we lost internet until I plugged ISP A back in.

0 Kudos
simonemantovani
MVP Gold
MVP Gold
‎2026-03-18 05:52 AM

To better help you, we need more information, for example, did you cyheck the output of the command cpstat fw when you disconnected the ISP A? Also reports the output of the command now that you have all the ISPs connected.

Instead of disconnecting firewall or ISP, to simply test ISP B, you could try the command 

fw isp_link ISP-A down 

(Replace ISP-A with the name of the connection as configured in Smartconsole in ISP redundancy section).

0 Kudos
Martijn
MVP Silver
MVP Silver
‎2026-03-18 06:30 AM

Hi,

When all was normal (cluster OK and IPS-A connected) was ISP Load Sharing working?
Did you see traffic leaving the IPS-B interface when all is OK?

Is NAT configured correctly? What do you see in the logs when it comes to outboud NAT?

If you can provide more info, that would be great?

Martijn


0 Kudos
cmale
Explorer
‎2026-03-26 06:07 AM
In response to Martijn

Looking into this further, it appears the second link for ISP-B is not active when I run show route all on my active appliance. It has an 'i' next to the route. So, it was never actually load-sharing like it is configured for.

0 Kudos
BikeMan
Collaborator
‎2026-03-26 06:17 AM
In response to cmale

Hi,

Usually when ISPR is not working it is because it is not configured as required.

Check with "cpstat fw" if both link are up. If both are up, check the NAT configuration of the network that should reach internet: it has to be Automatically hidden behind the gateway".

When both link are up, you should see in the logs some session natted behind ISP1 and some behind ISP2.

Rgds,

 

0 Kudos
cmale
Explorer
‎2026-03-27 05:41 AM
In response to BikeMan

Hi,

I have confirmed that both links show 'OK' when I run cpstat fw. I will double check NAT configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events