Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vlw38
Explorer

SSL-VPN fails during HA Failover

Topology:  (2) CP 5600 2 R80.30 in active/standby HA w/ ISP-Redunancy load-balancing

                   VPN client: Checkpoint Mobile for Windows

Here is the problem:

 

Shutdown the Comcast fiber ISP connection. This is NOT the firewall interfaces but the switch port to the Comcast fiber. So the firewall ComCast fiber interfaces stay up. The Comcast fiber ISP side is down.

Create a VPN client connection to the DR Comcast coax connection (173.162.x.x).

Connect to the DR connection – everything AOK. Properties of connection show name and IP address are 173.162.x.x. 

 

Disconnect from DR connection

Reconnect to DR connection. Connection details are updated to include Comcast Fiber IP address.

I think this problem is due to the firewalls serving up the main IP as the VPN gateway.

Any suggestions on how to resolve this?

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Is your goal to always use the Comcast address for Remote Access termination?
0 Kudos
vlw38
Explorer

Yes we want to always use the Comcast address but, we have two Comcast links – Comcast fiber/ISP#1 and Comcast Coax/ISP#2. We have ISP Redundancy enabled.  In Gateway Cluster Properties/IPSEC VPN/LinkSelection we have Comcast fiber/ISP#1 = Always Use This IP Address

The Use Probing /Link Redundancy Mode offers the option to include both the Comcast fiber/ISP#1 and Comcast Coax/ISP#2 ip addresses. We spoke w/CP and they told us that none of the remote clients support/recognize the Probing config as per SK113617. They offered options such as manual failover (type in Comcast Coax/ISP#2 in Gateway Cluster Properties/IPSEC VPN/LinkSelection)  or installing another fw an using some type of MEP config. Ridiculous!

0 Kudos
Wolfgang
Authority
Authority

Dear vlw38,

this is normal behaviour for VPN client connections. Link selection configuration via SmartConsole is used only for site 2 site VPN.

You have to follow  Configuring VPN Link Selection for Remote Access client to configure.

Remote Access clients can connect to VPN Gateway only once shows your problem.

Wolfgang

0 Kudos
vlw38
Explorer

Thank you for the information.  We will test the configs referenced in your provided links in the next 5 days.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events