Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ankur_Datta1
Participant

ISP Redundancy - 2 default route pointing to different ISP

Hi,

Can we add 2 default route on checkpoint firewall pointing to two different ISP.

for example:
0.0.0.0/0 ---> ISP A
0.0.0.0/0 ---> ISP B

I am trying to do load balancing between 2 ISP through ISP redundancy ( weight 50% for both ISP)

But due to default route pointing to ISP A. All traffic leaves through ISP A and ISP B is never utilized. As i add another default route on firewall for ISP B with same cost, Traffic start leaving ISP B as well. 

But after some time firewall removes ISP B route automatically. I want it to be in routing table always. Is this correct design?

I am doing hide NAT as well with 2 ISP external interface as well.

Thanks

13 Replies
AlekseiShelepov
Advisor

Check these guides:

ISP Redundancy 

How To Configure ISP Redundancy 

To enable ISP Redundancy:

  1. Open the network object properties of the Security Gateway or cluster.
  2. Click Other > ISP Redundancy.
  3. Select Support ISP Redundancy.
  4. Select Load Sharing or Primary/Backup.
  5. Configure the links.
  6. Configure the Security Gateway to be the DNS server.
  7. Configure the policy for ISP Redundancy.
0 Kudos
Ankur_Datta1
Participant

Hi Aleksei,

Thanks for your reply. I already configured ISP redundancy on firewall with option checked as load sharing. but in routing table i can only see 1 default route pointing to ISP A as configured through gaia web-portal. I added another default route through CLI:

set static-route default nexthop gateway address ISP-B on

now routing table shows 2 default route pointing to ISP - A and ISP - B 

S 0.0.0.0/0 via ISP - B, eth2, cost 0, age 5786
via ISP - A, eth1

i save the config. 

traffic is traversing through both path but after some time firewall loose the default route added through CLI and again traffic start traversing through ISP -A path.

Kindly suggest.

0 Kudos
AlekseiShelepov
Advisor

Yes, that's a normal behaviour.

There shoud be one manually configured default route pointing to the primary ISP. Other settings are taken from ISP redundancy configuration in policy.

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs. It changes the default route of the Security Gateway.

There are also some advanced configurations possible and there it might be required to change text files. But in your case it should be a standard config in SmartDashborad only.

0 Kudos
Ankur_Datta1
Participant

Thanks for update. How can we acheive load sharing then if there is only default route pointing towards ISP -A and we want traffic should traverse through both links?

0 Kudos
_Val_
Admin
Admin

Make sure both GWs have your GW (or GWs if it is a cluster) have both default routes configured on OS level. Use WebUI or clish to setup. WIth clish, do not forget to type in "save config" command.

0 Kudos
Ankur_Datta1
Participant

Hi Valeri. 

I didnt understand. Gateway is in standalone deployment and not part of cluster. Are you talking about configure through clish? What is the command to add default route through clish. If i add the route, will it remain permanent in routing table. And isp redundancy will also work in case in load sharing one 1 isp goes down then there will be only one default route pointing to another Isp. As soon as isp is up again routing table will have both routes?

Thanks

0 Kudos
_Val_
Admin
Admin

Before we go any further, are you using the same NIC to connect to both ISPs?

0 Kudos
Ankur_Datta1
Participant

No. On gateway ISP links are connected to two different interfaces.  Example : ISP - A on eth1 and ISP - B on eth2

0 Kudos
_Val_
Admin
Admin

Perfect, that is the requirement for ISP redundancy. Now, make sure on OS level each of the interfaces has a default route defined for it. Which version of software are you using?

0 Kudos
_Val_
Admin
Admin

If you are on Gaia, use 

set static-route default nexthop gateway address  on|off 

to add or delete a static route. 

Always conclude with 

save config
0 Kudos
Ankur_Datta1
Participant

I Ran same command to configure defaul route to back isp and done save config as well. This was ran in normal prompt where we can see configuration or configure using set command. 

Further if i test ISP redundancy, i remove cable from port eth1 (primary isp) routing table shows default route to backup isp. But when i plug cable back another default route dont show in routing table. I need to check what route goes missing( the configured through cli or web gui) and will update you. 

0 Kudos
Mahir_Ali_Ahmed
Explorer

Hi Ankur,

Any luck finding the right answer? I am having the same issue.

Regards,

Mahir

0 Kudos
denis-stl
Explorer

May be check on sk95249 How to configure multiple routes to the same network host in Gaia OS?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events