Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Static routing not working after policy install

Hi,

Is anyone able to easily confirm this?

1. Have two ISP connections: ISP-A and ISP-B configured in HA mode.

2. Add following static routes:

src: 192.168.0.0/24 via ISP-B, metric:10

src: 192.168.0.0/24 via ISP-A, metric: 20

3. Observe static routing works fine and outgoing connections pass through ISP-B. 

4. Do just any change and install policy.

5. Observe static routing no longer works and in fact outgoing traffic is stuck and does not go through either of the ISP connections.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

What appliance and code version?

How did you configure the ISP redundancy?

0 Kudos
HristoGrigorov

Thanx and sorry, forgot to mention it:

This is Check Point's 1470 Appliance R77.20.80 - Build 437

and

ISP redundancy is in High-Availability mode with ISP-A being Primary and the other Secondary. Both ISPs are sharing same WAN interface using VLANs.

0 Kudos
PhoneBoy
Admin
Admin

The other relevant question: locally managed or via external security management?

Based on what you're describing it seems like latter.

Also, is it all traffic going out 192.168.0.0/24 that fails after a policy push?

0 Kudos
HristoGrigorov

Yes, centrally managed. Only traffic that is supposed to go out through WAN interface fails. Other (internal) traffic works fine.

0 Kudos
PhoneBoy
Admin
Admin

Is it ALL WAN traffic or just traffic destined for 192.168.0.0/24?

Either way, this seems like a bug and you should open a TAC caseso we can collect the appropriate Troubleshooting.

0 Kudos
HristoGrigorov

It is outgoing routing, so only traffic from 192.168.0.0/24 to WAN is not working. I wanted quick confirm from someone else before I engage TAC because it all seem kind of peculiar to me and I am not sure if problem is not something I am doing wrong.

0 Kudos
Maarten_Sjouw
Champion
Champion

Have you tried using the actual IP of the IPS-A and ISP-B gateways instead of the ISP-A or B setting?

Regards, Maarten
0 Kudos
HristoGrigorov

Thanx for the suggestion. I tried it but unfortunately end result is the same. What I noticed however is that there is still connectivity, I can telnet for example to port 80 or 443. So it must be some of the AC/UF blades that is failing.

0 Kudos
HristoGrigorov

I have opened SR now and we are investigating it together with TAC. I will demand fix for this because it is the only way to have working SecureXL and still utilize secondary ISP somehow. Even though it is a manual way to do it.

Will update when there is a progress...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events