Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kyle
Explorer

1200R High availability SSL VPN Routing between primary and secondary

Hi All,

 

We have been running into issues with a deployment of a remote access vpn on two Checkpoing 1200R Devices.  The below mudmap gives you an idea of our setup. Two firewalls externally attached to two different ISPs with static addresses

mudmap.png

 

The issues i am  running into is:

  1. finding the SSL webpage very often fails to "upgrade" the connection into a VPN connection even with valid credentials using a known working configuration and the only solution is to retry until it works, this is our biggest issue as this is a remote industrial site and having highly available remote access is critical. 
  2. If FW1 is Primary and Active, connecting to the SSL vpn via FW2 static ip will succeed but will not route traffic back from the local LAN (same situation for FW1 when FW2 is Active)
  3. We are using Active directory for VPN authentication and have two domain controllers onsite. The appliance local management configuration interface only allows for one domain controller to be setup. Therefore if we have a failure of the primary DC we lose vpn connectivity.

 

 

 

 

0 Kudos
1 Reply
_Val_
Admin
Admin

Pretty sure this is working as expected. You cannot terminate SSL VPN on a standby member and expect it to work. On the LAN side, all traffic goes to active member only.

I would suggest some DNS script that would stick SSL VPN GW FQND to active member only, then you could go by name and not IP, ending up on Active only. 

I also believe this connectivity on ISP side not supported. You need to configure two ISP links on each box and use ISP redundancy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events