Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor
Jump to solution

Eliminating Routing Asymmetry between Two Different Physical Sites Running Check Point Firewalls

Dear Mates

I need your help with regard to a complex issue that I have inherited and now I need to provide solutions for it.

We have two geographically separated sites (represented as SITE A and SITE B), and on both Sites, we are running Check Point Firewalls. Each Firewall is connected to a Router (ROUTER 1 - SITE A, and ROUTER 1 - SITE B). The two routers are then connected to other Routers in the user space through our MPLS network.

Below the Firewalls, there are another routers (ROUTER 2 - SITE A, and ROUTER 2 - SITE B), these two routers also know each other through our internal MPLS network.

Below the two routers (ROUTER 2 - SITE A, and ROUTER 2 - SITE B), there is our Datacenter where all our servers reside.

ROUTER 2 - SITE A has the default route pointing to FIREWAAL SITE A

ROUTER 2 - SITE B has the default route pointing to FIREWAAL SITE B

The issue that we are currently facing is that when our users (offices, Stores, etc) access our servers in the Datacenter, the traffic to the server can get in through SITE A, and the return traffic from the server can go back through the Firewall on SITE B on its way back to the User who requested it. Unfortunately, the traffic gets dropped because it did not get in from the Firewall in SITE B.

This issue is happens because Servers in our Datacenter have different default gateways (some have default gateway to SITE A, and others to SITE B)

I would like get your contribution based on your experience on possible solution to solve this problem. Your help will be appreciated.

Thanks

31 Replies
Timothy_Hall
Legend Legend
Legend

Yikes, they must have a crapload of fully-accelerated traffic.  That or their two Firewall Worker instances are getting absolutely killed.  Presumably they only have the Firewall and perhaps IPSec VPN blades enabled and nothing else.  Certainly possible I guess, would be interested to see the output of these commands on the active member (please post the results in a new thread):

fwaccel stats -s

sim affinity -l

fwaccel stat

netstat -ni

fw ctl multik stat

enabled_blades

fw ctl affinity -l -r

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
theodossism
Explorer
You could go with setting up BGP on the FWL and just configure a LOCAL Preference in iBGP sessions and MED on eBGP sessions. This way you would save a lot of special and static configuration (no NAT, no proxy ARP etc), you would have achieved symmetric traffic flows of course (all traffic goes to primary site) and more important you would have achieved automatic fail-over on the other site in a failure event (noting for you to do as routing protocol would simple do their job).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events