Dear Community,
as an ISP we are monitoring our customer environments throug IPSec tunnels from our datacenter.
I don't know why, but two of our Check Point installations are strange - I cannot access the secondary node through IPSec - other sites work well with the same design. One troublemaker runs an old VRRP cluster (R77.30), the other on is a clusterXL (R80.20).
This is the general setup:
The montoring server is able to contact the MGMT VIP and node one, but obviously we need to monitor the second node as well.
The kernel param "fwha_forw_packet_to_not_active" is set to yes on both nodes, but packets are getting dropped as "received unencrypted packet...should be encrypted". I also tried to do a hide nat with a dummy ip to masquerade the access to the second node, as if it is sourced from that dummy ip - didn't work either.
I can't find the point I'm missing here - hopefully the community can help?
Best Regards
Johannes