This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OlegPowerC
Explorer
6 hours ago

Checkpoint ClusterXL and Cisco ASA Failover cluster VPN with BGP

Hello!

I configured tunnel from my ASA to Checkpoint Cluster XL.

All work but I not shure about properly work BGP.

I configured some router id on each gateways on the cluster (VIP of the internal interfaces)

Some peer - My ASAs tunnel interface ip

And on active gateway i see:

TEST-CHPSG01> show cluster roles

ID Role

1 (local) Master
2 Non-Master

TEST-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

 

On second:

Oleg Volkov, [10.10.2024 12:57]
CUDD-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

Oleg Volkov, [10.10.2024 12:57]
TEST-CHPSG02> show cluster roles

ID Role

1 Master
2 (local) Non-Master

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

 

After I reload active gateway and check BGP session on standby:

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

Multiple times - Idle


TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Active 0 0 00:00:00

Multiple times Active


TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 1 00:00:00

 

And now established.

I have 3-5 sec (sometimes more) downtime when standby gateway become active

May be I configured it improperly?

Second question is the best way to configure dynamic routing beatwen ClusterXL and cisco/Huawei routers. OSPF/IS-IS/BGP?

What I must do? configure peering to each gateways or to VIP address?

If to each gateways how Cisco will know about which route is prefer (which gateway is active)?

Thank You!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
4 hours ago

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events