This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Choijilsuren_Ba
Explorer
‎2017-09-28 06:45 AM

ClusterXL does can not connect to the ISP Gateway

My ClusterXL  is working Load Sharing Multicast Mode but can not connect to the ISP. There is connected switch between CsusterXL and ISP. ClusterXL can connect to other devices. How to configure the ISP device or ClusterXL. The switch between the ISP and ClustrXL is Cisco catalyst 2960X. Distributed deployment and Security gateway is GAIA R80.10, Management is GAIA R80.10

0 Kudos
5 Replies
Danny
Champion
Champion
‎2017-09-28 01:18 PM

Try using Load Sharing Unicast Mode and check if your ClusterXL gateways can then reach your ISP router. If that is the case, switch back to Multicast Mode and troubleshoot the Multicast configuration on your switch between the firwall cluster and the ISP router.

0 Kudos
Choijilsuren_Ba
Explorer
‎2017-09-28 06:33 PM
In response to Danny

ClusterXL is currently working production. Therefore can not moved Load sharing Unicast mode. ClusterXL is can working other cluster interfaces. Other Cluster interfaces is working normally.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-28 01:34 PM

Define "cannot connect to ISP" -- by what method are you determining this?

Have you:

  • Verified you can ping the default route from both cluster members? (Verifies basic connectivity)
  • Verified you can ping one hop up from the default route (determines you've set up routing correctly)

The more details you can provide about your environment, what you've tried, what you expected, and what results you got, the more helpful the community can be. 

0 Kudos
Choijilsuren_Ba
Explorer
‎2017-09-28 07:20 PM
In response to PhoneBoy

Default route configured both cluster members but  can not ping to ISP gateway.

Example topology:

can ping from VIP:1.1.1.4 to 1.1.1.5 and 2.2.2.2.  can not ping from VIP: 1.1.1.4 to 1.1.1.1 

0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-28 09:35 PM
In response to Choijilsuren_Ba

That looks suspiciously like this configuration (and this problem): https://community.checkpoint.com/message/8899-re-how-to-configure-external-interface-in-clusterxl?co... 

In fact, the network diagram looks nearly identical to the linked thread.

It may be a coincidence, of course.

To verify it is NOT a Check Point problem:

  • fw unloadlocal on one of the cluster members (this unloads the firewall policy) 
  • Attempt to ping the ISP gateway from the same cluster member

If you can not ping the ISP gateway in this situation, then it's unlikely to be a Check Point issue (or it could be a basic networking issue).

If you can ping the ISP gateway in this situation, then:

  • fw fetch localhost to reload the policy to the cluster member
  • Open a second ssh session to the cluster member
  • Attempt to ping the ISP gateway from one session while running tcpdump on the other.

If you can see ping packets leave your gateway and responses not come back, then it's likely an issue with your switch configuration.

If you can see ping packets come back and the ping is not successful, then it might be a Check Point configuration issue and I recommend working with the Check Point TAC: Contact Support | Check Point Software 

If none of this makes any sense, I strongly suggest working with your local Check Point partner or SE who can work with you one on one.

If you need a pointer to who to contact, please send me a private message and I will connect you. 

0 Kudos