Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tspunkt
Contributor

Central Managed SMB: ISP redundancy and VPN community

Hey Checkmates,

I have a centrally managed SMB 1430 connected with a VPN community to another Checkpoint Gateway.

I have configured ISP redundancy with main connection on WAN and secondy connection on a free unconfigured LAN port. Both connections are online and configured in HA mode. The WANs has different providers and also different IPs.

In the Management (different location, so connect by WAN) the Gateway IP is the public IP of the main connection. When the main connection is down, the gateway goes to error state in Management and I'm unable to connect to the device and the VPN community goes down. Also all users in the LAN behind are unable to connect to Internet. But I know that the second ISP is working.

How I can solve this? I checked configuration guide but I don't find the issue.

Thank you 🙂

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

Is the SMB 1430 configured with Dynamic IP ? This for SMS connection - the LAN ISP connection alone does work ?

CCSE CCTE SMB Specialist
0 Kudos
tspunkt
Contributor

Do you mean in Management? No, the checkbox isn't ticked. The message says that NAT defintions will be removed and some other configs will be reset. I don't what happen when click OK, so I don't want to test it ;-)...

if I disconnect the main WAN, the LAN is disconnected from internet, so I beliebe the LAN ISP doesn't work as planned. But the connection works before the "new" main ISP was added.

0 Kudos
G_W_Albrecht
Legend
Legend

SMS only knows the WAN IP, so it is understandable that it only will work with the WAN ISP. I would suggest to contact TAC for a quick RAS to correct the configuration on the SMB...

CCSE CCTE SMB Specialist
0 Kudos
RS_Daniel
Advisor

Hello,

From my perspective you have two different problems in your scenario. The first one is that when your vpn is down, "the gateway goes to error state in Management". I imagine this is because the public IP address of both gateway is implicitly included in the vpn domain, AFAIK the traffic from management to the gateway should be handled by implied rules and not be encrypted, however i would try to exclude the public IP address from both gateways in the vpn, so traffic related to management does not need the tunnel. Check sk108600 scenario 3 to configure these exclusions. Exclude both public IP address as source and destination, you will need to find the correct crypt.def location for SMB's sk98241. We have this working in this way with a customer with many centrally managed SMB's and never lose management when vpn's are down.

For your second problem "Also all users in the LAN behind are unable to connect to Internet". More details are needed to provide a better answer but, Is it supossed that internet traffic from the remote site goes trhough the VPN? You mentioned that your secondary connection is "free unconfigured LAN port" how is it free unconfigured exaclty? Is it a DAIP connection? is it on active state? is ISP redundancy enabled on this interface? do you have an automatic default route for this interface? can you ping the default gateway? if your answer is yes to last 4 questions i would check your vpn configuration/encryption domains to start tshoot. HTH.

Regards

0 Kudos