This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AntonMakarychev
Contributor
Contributor
‎2023-04-21 06:09 AM

VPN tunnel failover from 4G interface

Hi, Everyone

I would like to share the solution to the issue which faced regarding SMB 1590 appliances with 4G as redundant interface.

The issue is:

"If you have 4G redundant interface and Site-to-Site VPN tunnel configured then in case of failover to 4G interface and fail-back to the main WAN interface, all the connections will be migrated back to the main WAN interface except VPN connection which will continue working through 4G interface thus producing additional costs from 4G operator"

Check point has confirmed that it is an expected behaviour so we had to search for a workaround.

Solution:

1. First I prepared the bash script to check messages log for an event of WAN connection is up again and based on that restart 4G interface to failover 4G connection back to the primary ISP (also attached):

 

#!/bin/bash -f
source /pfrm2.0/opt/fw1/conf/.CPprofile.sh

# Get the current timestamp
current_timestamp=$(date +%s)

# Subtract 1 minutes (60 seconds) from the current timestamp
timestamp_1min_before=$((current_timestamp - 60))

# Convert the timestamp to the desired format
time_1min_before=$(date -d "@$timestamp_1min_before" +"%Y %b %d %H:%M:%S")

# Path to the log file
log_file="/var/log/messages"

# Pattern to search in the log file
search_pattern="Internet connection \"Internet1\" is active now"

# Iterate through the lines of the log file
while read -r line; do
    # Extract and format the timestamp from the line
    line_year=$(echo "$line" | awk '{print $1}')
    line_month=$(echo "$line" | awk '{print $2}')
    line_day=$(echo "$line" | awk '{print $3}')
    line_time=$(echo "$line" | awk '{print $4}')
    if [ "${#line_day}" -eq 1 ]; then
       line_day="0${line_day}"
    fi
    time_line="$line_year $line_month $line_day $line_time"

    # Check if the line timestamp is within the last 1 minutes
    if [[ "$time_line" > "$time_1min_before" ]]; then
        # Check if the line contains the search pattern
        if [[ "$line" == *"$search_pattern"* ]]; then
            # Run the clish command
            ifconfig cell0 down
            ifconfig cell0 up   
            break
        fi
    fi
done < "$log_file"

 

 2. Then I configured cron job to run script every minute:

  1. Login to Winscp
  2. Open the new session with the SMB firewall.
  3. Upload the file 4G_Script.sh to path /usr/bin/
  4. Login to SMB Firewall using SSH.
  5. Go to Expert mode.
  6. Go to Path /usr/bin/
  7. Change the permissions of the file using the command below.

chmod u+x 4G_Script.sh

  1. Run the below command.

crontab -e

  1.    Add the new line to run the 4G Script as below,

*/1 * * * * /usr/bin/4G-Script.sh

  1.  Save the file.

This workaround ensures that Site-toSite VPN tunnel will failover to the primary ISP in no more than a minute after primary ISP become active.

Hope this helps!

Preview file
2 KB
3 Replies
the_rock
Legend
Legend
‎2023-04-21 06:12 AM

Fantastic!

AntonMakarychev
Contributor
Contributor
‎2023-04-21 06:17 AM
In response to the_rock

Thank you!😀

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-21 09:08 AM

Thanks for sharing this solution!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events