Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sreekanthvijay
Explorer
Jump to solution

Duel Ipsec route based tunnel to Azure with BGP enabled

Hi All ,

 

im looking for some document related to setup duel ipsec tunnel from check point 3200 model firewall to Azure with BGP enabled for automatic failover .

 

Can some one share the KB or related article regarding this 

0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader

The information seems to be very less.

How many ISPs you have on your firewall? Is this a VTI based tunnel or? Did you configure to tunnels from same ISP?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
0 Kudos
sreekanthvijay
Explorer

Hi ,

We are not using Vwan vpn gateway in azure , it is normal vpn gateway in azure and we are able to establish two tunnel with bgp to azure and we have created specific route map for traffic selection path , the problem what we are facing is when the tunnel and bgp is up and it runs with out any problem for some hour after that one of the bgp goes to active state and we need to reset the tunnel in azure side  for bgp to come up again and same thing happens for other tunnel also , so if we didn’t monitor it after certain time bgp towards azure for both vti becomes active and impact the production . In our side we have 3100 with cluster … Please suggest 

0 Kudos
Blason_R
Leader
Leader

The information seems to be very less.

How many ISPs you have on your firewall? Is this a VTI based tunnel or? Did you configure to tunnels from same ISP?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
sreekanthvijay
Explorer

Hi ,

we have two ISP and each tunnel is established on two different ISP to azure and uses BGP between azure and check point vti 

0 Kudos
Blason_R
Leader
Leader

This is surprising!! You can not configure two IPsec tunnels on two ISP since Check Point will not accept. You can define VPN listening interface and then configure the tunnel. However you can define multiple tunnels from same IP to two different Azure instances and then configure BGP over IPsec. 

I tried this multiple times since Check Point does not accept the tunnels on different interfaces hence I had to accommodate different solution and introduce router where tunnels are terminated and then configured BGP.

May be try running BGP traces however my gut feeling is - This is purely a IPsec issue since the peer goes into Active State in sometime.

What is the ouput of show bgp paths

show route bgp
show bgp peer <FIRsTPEER> advertise
show bgp peer <secondPEER> advertise
show bgp peer <FIRsTPEER> received
show bgp peer <secondPEER> received
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
sreekanthvijay
Explorer

Hi Balson ,

We don't have any problem for BGP advertise and received since that we have strictly controlled over the route maps and it is working as expected..

We have one problem is , after certain time one of the BGP peers which is going to azure is going to active state and it is not able to establish the connection until we reset the tunnel from Azure end ,

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime

10.250.4.4 65522 0 0 Active 0 0 00:00:00
10.250.4.5 65522 9 2 Established 2 2 00:35:08

In the above o/p 4.4 is the secondary tunnel to Azure and 4.5 is the primary one .Do you know how we can stop this and BGP to automatically establish the connection when the SA timer expired.

 

 

0 Kudos
Blason_R
Leader
Leader

What does BGP Trace logs shows sk101399

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events