This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rudy_Dichoso
Participant
‎2018-11-26 11:18 PM

ISP Failover working but no internet connection.

Hi,

Could someone please help us with this, We have a client who are using R80.10 cluster firewall and has the ISP failover configured but then when the primary ISP goes down we can see on the tracker that the secondary ISP preceded the connection but then there are still no internet connection for the users, we have already done the isolation listed below.

- Check secondary ISP internet connection by bypassing the firewall (has internet connection.)

- Make sure that we only has one default gateway ( Primary ISP default Gateway)

- Check the next hop IP address for both ISP on ISP redundancy setting on smartdashboard

- Check sk61692 for possible misconfiguration.

- Make sure the default gateway/next hop IP address for both ISP are reachable.

- Check ISP failover status on Clish by using " cpstat fw " command.

- We also do a testing on a standalone R80.10 firewall and has the same output.

Regards,

0 Kudos
12 Replies
Anthony_Joubai1
Contributor
‎2018-11-26 11:57 PM

Hello,

Could you elaborate with "cpstat fw" result and tell us routing table is changing when ISP failover "route -n".

0 Kudos
Rudy_Dichoso
Participant
‎2018-11-27 12:34 AM
In response to Anthony_Joubai1

Hi Anthony,

Thanks for your reply, when I run " cpstat fw " I could see that both ISP have OK status and then for testing I would manually turn down the primary to check if failover would work, after turning down the primary ISP I would see on tracker that the primary ISP are down and that the secondary ISP are up for connection but then there is still no internet connection for users.

0 Kudos
Anthony_Joubai1
Contributor
‎2018-11-27 01:25 AM
In response to Rudy_Dichoso

When ISP goes down, you should have a change on the routing table.

"watch -d route -n"

Do you see it ?

regards,

Anthony

0 Kudos
Rudy_Dichoso
Participant
‎2018-11-27 06:14 PM
In response to Anthony_Joubai1

Yes I could see the default route change whenever I manually turn down the primary ISP, whats weird is that I could see on the tracker that the failover are working and that my firewall users are being NATed using the secondary ISP IP address but still internet access are not working.

I also try to test this setup to R77.30 firewall and its working, only in R80.10 that I'm having trouble.

Thanks for responding.

0 Kudos
Anthony_Joubai1
Contributor
‎2018-11-27 11:47 PM
In response to Rudy_Dichoso

Hello Rudy,

from what I learn about R80.10, Topology is much more enforced than before.

An example: If topology is wrong on the object, it can discard the trafic without blocking it. (database correction solve the issue)

I'll build this morning a lab with R77.30 and R80.10 with 2 ISP and try to replicate your issue.

Did you try to disable Sxl for testing purpose ?

Could you kindly provide me some more debugs.

ping 8.8.8.8       //from one host on your network

fwaccel off      //(if you can)

fw ctl zdebug drop | grep 8.8.8.8

fw monitor -e "host(8.8.8.8),accept;"

route -n

fw ctl affinity -l -r -v

remove has much information about host ip etc ... we need interfaces and NAT.

regards,

Anthony

0 Kudos
Petr_Hantak
Advisor
Advisor
‎2018-11-27 12:13 AM

In case the backup line goes UP and there is still no Internet connection, what about NAT rules? Have you got properly configured them for inside networks like following?

0 Kudos
Rudy_Dichoso
Participant
‎2018-11-27 12:36 AM
In response to Petr_Hantak

Hi Petr,

I have already check the NAT configuration for the users to that setting and its still not working.

Thanks for responding.

0 Kudos
Hybrid_Theory
Participant
‎2018-11-27 06:34 PM

1) Tried clearing the CAM tables on your switches/routers? Also, any static ARP's?

2) Have you run a zdebug + drop as well as fwmonitor(Turn of SXL)? That would hopefully tell you a little more.

3) Failover? Rebooted the members?

0 Kudos
Rudy_Dichoso
Participant
‎2018-11-27 09:31 PM
In response to Hybrid_Theory

Hi,

Thanks for responding.

1. There are no static ARP's on the router.

2. Try to run fwmonitor and it shows that both connections for ISP are working fine.

3. Yes we setup the configuration as failover., what do you mean by rebooted the member?

0 Kudos
Rudy_Dichoso
Participant
‎2018-11-28 01:29 AM

Hi Guys!

I just solve the issue today, I install the jumbo hotfix for R80.10 take 154 for it work, Thanks everyone for help!

Najeeb
Explorer
‎2020-10-11 10:53 AM

I am also facing the same error on R80.30, can someone please help me on this

Regards,

Najeeb Ahmad

0 Kudos
Douglas_Chenjer
Contributor
‎2022-07-28 02:27 AM

Did you get a solution to this problem, kindly share

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events