Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Santosh_Pandey
Explorer

Https traffic passes through default route only and not static route when https inspection is switched on.

Hi, 

we have a 750 device with three internet connection on load sharing mode. Two of the three internet act as default route and one is not used as default route as i have cleared route traffic through this connection in properties. i have created a static route for a host with points to the internet connection not participating in load sharing. Https inspection blade is enabled on the device. now when we test traffic routing on that host we find that all traffic except https traffic routes as desired from the specified interface as per static route, but when we exclude https inspection from that host then https traffic routes perfectly as well. not able for figure out why this happens. need help on this as we need to route few host from that particular link for all traffics. 

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend

I would involve TAC - the ISP configuration is as the Admin Guide suggests and SSL Inspection should not change routing Smiley Sad !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Santosh_Pandey
Explorer

Thanks a lot Albrecht for the response, will take up this issue will TAC.

0 Kudos
Santosh_Pandey
Explorer

Took the issue with TAC, after investigating they found this issue as bug and have collected the required files for RND.

will keep you posted after on this as i get a solution from TAC. would like to thank Albrecht! once again for the suggestion.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It did look like a bug for me, too - that was the reason i suggested TAC for resolving. I suppose firmware 77.20.80 is installed ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Santosh_Pandey
Explorer

yes the mentioned firmware by you is installed. TAC tried with a firmware update build for some fixes relating to VLANed  WAN but that did not help, so finally they took the CPfile for lab test and RND. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I wish good luck then and hope the issue is resolved asap!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Santosh_Pandey
Explorer

Thanks!!

0 Kudos
Pedro_Espindola
Advisor

Man! I had some routing issues that I couldn't understand. Now that you mention, I believe my problem is also related to HTTPS Inspection.

I even posted a question about it here: PBRs and ISP redundancy on SMB appliances

Thank you, Santosh!

0 Kudos
Santosh_Pandey
Explorer

Thanks mate, will keep you posted once i hear from TAC. It took a while to figure out the routing issue due to https inspection, all started because i was not getting desired vpn throughput as the vpn return packet were getting routed through default route. that summoned me to do a static routing and force return path of the vpn packets through the desired link then i figured out that all https trafic destined for port 443 is routing through default route only.Being new to Checkpoint i thought this may be due some configuration or advance settings, so i posted it here and as suggested by Gunther took it with TAC.

0 Kudos
Santosh_Pandey
Explorer

Hello Mates, i would like to update that the issue is resolved as TAC provided me the firmware version R77.20.81 build(990172537), after which static routing is working fine with SSL inspection switched on.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events