This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-10 08:41 PM

Static routing not working after policy install

Hi,

Is anyone able to easily confirm this?

1. Have two ISP connections: ISP-A and ISP-B configured in HA mode.

2. Add following static routes:

src: 192.168.0.0/24 via ISP-B, metric:10

src: 192.168.0.0/24 via ISP-A, metric: 20

3. Observe static routing works fine and outgoing connections pass through ISP-B. 

4. Do just any change and install policy.

5. Observe static routing no longer works and in fact outgoing traffic is stuck and does not go through either of the ISP connections.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-10-12 04:58 AM

What appliance and code version?

How did you configure the ISP redundancy?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-12 07:36 AM
In response to PhoneBoy

Thanx and sorry, forgot to mention it:

This is Check Point's 1470 Appliance R77.20.80 - Build 437

and

ISP redundancy is in High-Availability mode with ISP-A being Primary and the other Secondary. Both ISPs are sharing same WAN interface using VLANs.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-13 12:58 AM
In response to HristoGrigorov

The other relevant question: locally managed or via external security management?

Based on what you're describing it seems like latter.

Also, is it all traffic going out 192.168.0.0/24 that fails after a policy push?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-13 05:19 AM
In response to PhoneBoy

Yes, centrally managed. Only traffic that is supposed to go out through WAN interface fails. Other (internal) traffic works fine.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-14 05:27 AM
In response to HristoGrigorov

Is it ALL WAN traffic or just traffic destined for 192.168.0.0/24?

Either way, this seems like a bug and you should open a TAC caseso we can collect the appropriate Troubleshooting.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-14 11:57 AM
In response to PhoneBoy

It is outgoing routing, so only traffic from 192.168.0.0/24 to WAN is not working. I wanted quick confirm from someone else before I engage TAC because it all seem kind of peculiar to me and I am not sure if problem is not something I am doing wrong.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-10-20 01:09 PM

Have you tried using the actual IP of the IPS-A and ISP-B gateways instead of the ISP-A or B setting?

Regards, Maarten
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-10-21 08:49 PM
In response to Maarten_Sjouw

Thanx for the suggestion. I tried it but unfortunately end result is the same. What I noticed however is that there is still connectivity, I can telnet for example to port 80 or 443. So it must be some of the AC/UF blades that is failing.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-26 09:57 AM

I have opened SR now and we are investigating it together with TAC. I will demand fix for this because it is the only way to have working SecureXL and still utilize secondary ISP somehow. Even though it is a manual way to do it.

Will update when there is a progress...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events