This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ThoNie
Explorer
‎2024-04-10 03:23 AM

GRE Tunnel, Policy based routing and IP reachability

Hello Community,

I have set up two GRE tunnels on a R81.10 Cluster. Both tunnels connect to the same provider, but different POPs for redundancy.

clish> add gre id 1 local <Public IP of Firewall Node> remote <Public IP of GRE peer 1> ttl 255 ip 10.10.1.1 mask 29 peer 10.10.1.6
clish> add gre id 2 local <Public IP of Firewall Node> remote <Public IP of GRE peer 2> ttl 255 ip 10.10.2.1 mask 29 peer 10.10.2.6

Additionaly, I have set up a Policy Based Routing table to route specific traffic to this provider. The PBR table consists of only two default routes to each logical GRE interface.

clish> set pbr table Provider static-route default nexthop gateway logical gre1 priority 1
clish> set pbr table Provider static-route default nexthop gateway logical gre2 priority 2

With some PBR rules, I route specific traffic to this table.

I want one route to get disabled if a POP is not reachable anymore, but I cannot use the "ping on" feature on the routes because of the logical interface

clish> set pbr table Netskope static-route default ping on
RTGRTG0019 PBR Static route: Ping is incompatible with logical gateways.

The provider offers a private IP address for each POP which can be reached only through this POP to test if the tunnel is up and running. These are different from the local GRE ip addresess stated in the "add gre" commands above. So I've set up IP reachability for these addresses

clish> set ip-reachability-detection ping address <Probe address for POP 1> enable-ping on
clish> set ip-reachability-detection ping address <Probe address for POP 2> enable-ping on

In a tcpdump, I can see the gateway generates the ICMP packets to the probing addresses and they are answered.

But somehow I cannot "link" the probing to the routes. If the first POP (reachable through gre1) goes down, the interface gre1 will still be "up" and the firewalls tries to route all traffic through this interface. It never switches over to gre2.

How do I configure the fail over to gre2?

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2024-04-11 03:34 PM

I'm assuming you've reviewed this SK? https://support.checkpoint.com/results/sk/sk169794 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events