Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

SSL-VPN fails during HA Failover

Topology:  (2) CP 5600 2 R80.30 in active/standby HA w/ ISP-Redunancy load-balancing

                   VPN client: Checkpoint Mobile for Windows

Here is the problem:

 

Shutdown the Comcast fiber ISP connection. This is NOT the firewall interfaces but the switch port to the Comcast fiber. So the firewall ComCast fiber interfaces stay up. The Comcast fiber ISP side is down.

Create a VPN client connection to the DR Comcast coax connection (173.162.x.x).

Connect to the DR connection – everything AOK. Properties of connection show name and IP address are 173.162.x.x. 

 

Disconnect from DR connection

Reconnect to DR connection. Connection details are updated to include Comcast Fiber IP address.

I think this problem is due to the firewalls serving up the main IP as the VPN gateway.

Any suggestions on how to resolve this?

 

 

 

0 Kudos
4 Replies
Highlighted
Admin
Admin

Is your goal to always use the Comcast address for Remote Access termination?
0 Kudos
Highlighted
Ivory

Yes we want to always use the Comcast address but, we have two Comcast links – Comcast fiber/ISP#1 and Comcast Coax/ISP#2. We have ISP Redundancy enabled.  In Gateway Cluster Properties/IPSEC VPN/LinkSelection we have Comcast fiber/ISP#1 = Always Use This IP Address

The Use Probing /Link Redundancy Mode offers the option to include both the Comcast fiber/ISP#1 and Comcast Coax/ISP#2 ip addresses. We spoke w/CP and they told us that none of the remote clients support/recognize the Probing config as per SK113617. They offered options such as manual failover (type in Comcast Coax/ISP#2 in Gateway Cluster Properties/IPSEC VPN/LinkSelection)  or installing another fw an using some type of MEP config. Ridiculous!

0 Kudos
Highlighted
Gold

Dear vlw38,

this is normal behaviour for VPN client connections. Link selection configuration via SmartConsole is used only for site 2 site VPN.

You have to follow  Configuring VPN Link Selection for Remote Access client to configure.

Remote Access clients can connect to VPN Gateway only once shows your problem.

Wolfgang

0 Kudos
Highlighted
Ivory

Thank you for the information.  We will test the configs referenced in your provided links in the next 5 days.

0 Kudos