This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kebin23
Participant
‎2023-09-30 11:46 PM

Asymmetric traffic using ECMP with static routes

Hello checkpoint community.

I am experiencing an asymmetric traffic problem in my lab when I try to use ECMP to advertise a server to 2 IPs from different ISPs at the same time.

I have configured the following default route for my two gateways from each ISP.

 

route.png

 

 

Leave the ECMP configuration by default at GAIA.

ECMP.png

 

 

 

 

 

 

 

 

 

 

 

When both ISP links are UP, I reach the IP with which the server is published on ISP2 through port eth03 but the response returns through eth0, as shown in the following image.

Checkpoint_LAB_2.png

 

 

 

 

 

 

 

 

 

When I run the fw monitor, I see that it sends it through eth0, because that is the default route and that route also uses the public segment of my site 1 from where I am doing the test, I show the image of the fw monitor.

FW_monitor_1.png

 

 

 

 

 

 

 

 

 

 

 

When I download eth0, the default route that the firewall is considering for all traffic, the traffic is no longer asymmetric since my new default route goes through ISP2 where my server is published. I attach the image of the fw monitor.

FW_monitor_2.png

 

 

 

 

 

 

 

 

 

 

What remaining configuration in the firewall or ECMP am I missing so that the queries to the published server with an IP from ISP2 are symmetrical?

Laboratory topology

Checkpoint_LAB.png

 

 

 

 

 

 

route.png
Preview file
10 KB
ECMP.png
Preview file
24 KB
FW_monitor_1.png
Preview file
93 KB
FW_monitor_2.png
Preview file
102 KB
Checkpoint_LAB.png
Preview file
129 KB
Checkpoint_LAB_2.png
Preview file
150 KB
0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-10-02 12:18 AM

Why not consult TAC for this isssue ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2023-10-02 06:17 AM

This "feels" like a SecureXL issue.
You can somewhat test this theory by temporarily disabling templating with fwaccel off.
Note this may not stop accelerating the traffic: https://support.checkpoint.com/results/sk/sk162492
Either way, I strongly suggest consulting with the TAC: https://help.checkpoint.com

Kebin23
Participant
‎2023-10-03 11:13 AM
In response to PhoneBoy

Hi @PhoneBoy .

Thanks for the information, I will try disabling acceleration if that solves it.

0 Kudos
Kebin23
Participant
‎2023-10-03 02:03 PM
In response to PhoneBoy

Hi @PhoneBoy .

Disable the acceleration and the problem with that link is solved, but the asymmetry now occurs in eth0, which previously worked correctly. In short, the problem continues, only now on the side of ISP1.

SecureXL_off.png

 

 

 

 

 

 

Asimetria_eth0_ISP1.png

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-03 03:23 PM
In response to Kebin23

As suggested previously, a TAC case will likely be necessary to resolve the issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top