This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vlw38
Explorer
‎2020-04-13 08:23 AM

SSL-VPN fails during HA Failover

Topology:  (2) CP 5600 2 R80.30 in active/standby HA w/ ISP-Redunancy load-balancing

                   VPN client: Checkpoint Mobile for Windows

Here is the problem:

 

Shutdown the Comcast fiber ISP connection. This is NOT the firewall interfaces but the switch port to the Comcast fiber. So the firewall ComCast fiber interfaces stay up. The Comcast fiber ISP side is down.

Create a VPN client connection to the DR Comcast coax connection (173.162.x.x).

Connect to the DR connection – everything AOK. Properties of connection show name and IP address are 173.162.x.x. 

 

Disconnect from DR connection

Reconnect to DR connection. Connection details are updated to include Comcast Fiber IP address.

I think this problem is due to the firewalls serving up the main IP as the VPN gateway.

Any suggestions on how to resolve this?

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-04-14 02:10 PM

Is your goal to always use the Comcast address for Remote Access termination?
0 Kudos
vlw38
Explorer
‎2020-04-15 05:05 AM
In response to PhoneBoy

Yes we want to always use the Comcast address but, we have two Comcast links – Comcast fiber/ISP#1 and Comcast Coax/ISP#2. We have ISP Redundancy enabled.  In Gateway Cluster Properties/IPSEC VPN/LinkSelection we have Comcast fiber/ISP#1 = Always Use This IP Address

The Use Probing /Link Redundancy Mode offers the option to include both the Comcast fiber/ISP#1 and Comcast Coax/ISP#2 ip addresses. We spoke w/CP and they told us that none of the remote clients support/recognize the Probing config as per SK113617. They offered options such as manual failover (type in Comcast Coax/ISP#2 in Gateway Cluster Properties/IPSEC VPN/LinkSelection)  or installing another fw an using some type of MEP config. Ridiculous!

0 Kudos
Wolfgang
Authority
Authority
‎2020-04-15 09:13 AM

Dear vlw38,

this is normal behaviour for VPN client connections. Link selection configuration via SmartConsole is used only for site 2 site VPN.

You have to follow  Configuring VPN Link Selection for Remote Access client to configure.

Remote Access clients can connect to VPN Gateway only once shows your problem.

Wolfgang

0 Kudos
vlw38
Explorer
‎2020-04-15 04:40 PM
In response to Wolfgang

Thank you for the information.  We will test the configs referenced in your provided links in the next 5 days.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events