Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Johannes_Schoen
Collaborator

Can't monitor secondary node over IPSec tunnel

Dear Community,

as an ISP we are monitoring our customer environments throug IPSec tunnels from our datacenter.

I don't know why, but two of our Check Point installations are strange - I cannot access the secondary node through IPSec - other sites work well with the same design. One troublemaker runs an old VRRP cluster (R77.30), the other on is a clusterXL (R80.20).

This is the general setup:

topology

The montoring server is able to contact the MGMT VIP and node one, but obviously we need to monitor the second node as well.

The kernel param "fwha_forw_packet_to_not_active" is set to yes on both nodes, but packets are getting dropped as "received unencrypted packet...should be encrypted". I also tried to do a hide nat with a dummy ip to masquerade the access to the second node, as if it is sourced from that dummy ip - didn't work either.

I can't find the point I'm missing here - hopefully the community can help?

Best Regards

Johannes

30 Replies
Vladimir
Champion
Champion

I am just curious if anyone has tried this with each cluster member's having a /32 loopback interface that is included in the encryption domain and used for monitoring?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events