This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dgrenfell
Explorer
Thursday

Has anyone been able to have redundant VPN tunnels with AWS using vti's?

I have 2 site-site VPN tunnels going out to AWS, but I can't seem to force a failover to make sure redundancy is working. We have a cluster of 2 19100 appliances, so I know redundancy would work if we lost a gateway, but for some reason the steps I have taken to force a failover for the tunnels doesn't seem to work. I have performed the following:

- Logged into GAIA and disabled the vti interface (vpnt2 in this case) and pushed policy

- When logged into the active gateway and looking at the tunnel list, I still see the tunnel associated with the vti interface I had disabled still showing connected

- After deleting the SA's for the gateway on the AWS end of this tunnel, it still showed connected, no matter how many times I performed those actions

The vendor on the AWS end said the tunnel never went down, and they were seeing traffic flowing in and out of their server, so that attempt was a bust. I then got CP on a conference call with us and the ONLY way we could get it to "fail over" was to remove the gateway that is associated with the vti from the community. However, the same symptoms were still present (i.e the tunnel still showing connected, etc), but it was when the tunnel negotiation timer ran out that it FINALLY showed disconnected (after pushing policy the AWS side finally went down, but it took approximately 60ish seconds). When we ran fw monitor, we saw that traffic on our end was still trying to send things out the tunnel that was apparently down, so it just broke things, and we had to revert back.

TLDR: Am I missing something here?

Here is my configuration:

- Cluster of 2 19100 CheckPoint appliances running R81.20 with JHF 76

- 2 vti interfaces pointing to their respective AWS gateways, using addressing provided by AWS

- A star community consisting of our cluster as the satellite gateway and the 2 AWS gateways as the center

- Both AWS gateways set with empty groups to facilitate the routed based configuration (instructions provided by AWS and CP TAC)

- Static routes set on both vti's using a priority of 1 and 2 for each gateway (1 being the primary tunnel and 2 being the secondary) so the gateways know which vti to "prefer" to send traffic out

- Directional rules set up in Smart Console to allow the traffic that is to be accepted

The site-site VPN IS working, I just can't seem to perform a forced fail over to go from one tunnel to the other. 

 

Any thoughts? Am I missing anything? Let me know if I need to show or explain anything further. Thanks all!

 

Labels
0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Friday

Can you describe further how are the static routes configured, was there a particular guide which you followed?

CCSM R77/R80/ELITE
0 Kudos
dgrenfell
Explorer
Friday
In response to Chris_Atkinson

Sure! I have the static routes set up in GAIA for both gateways like this:

image.png

 

As far as the guide is concerned, I had a guide that AWS sent me via a text file, but I also looked at several threads on here when something didn't quite make sense in their guide. In the end I got the tunnels up, it's just the redundancy aspect of it is not working. 

 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Friday
In response to dgrenfell

You don't appear to be using the ping/monitor option...

What does the active routing table look like when the VTI is disabled?

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
Friday

Do you have simple diagram?

Best,
Andy
0 Kudos
dgrenfell
Explorer
Friday
In response to the_rock

I do actually. I scrubbed all private information, but here is the basic diagram of how it flows. We have 2 ISP routers that connect out to the outside world, with the firewall cluster having a VIP between the two routers. The firewall cluster shares 2 vti's with AWS and the traffic gets encrypted within our network, sent through the vti and then out one of the ISP routers (whichever has the better path through BGP at the time). We don't have any dynamic routing on the firewall cluster, as that's all handled at the ISP routers, thus the reason for the static routes.image2.png

 

0 Kudos
the_rock
MVP Gold
MVP Gold
Saturday
In response to dgrenfell

Thanks mate! Let me see if I can try lab this up when back from vacation.

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
Friday

I had done this with Azure, but I suspect would be similar on AWS.

Best,
Andy
0 Kudos
dgrenfell
Explorer
Friday
In response to the_rock

I have a tunnel with Azure for another vendor, it's not redundant, but man it was SO much easier to set up and has never had any issues, unlike this one with AWS. I might need to have you share some pointers on how you got that to work with Azure so I can see if the same can be applied here with AWS. 

0 Kudos
the_rock
MVP Gold
MVP Gold
Friday
In response to dgrenfell

There are some differences, yes!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events