This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Man0j
Contributor
‎2020-11-16 01:36 AM

ISP Redundancy + IPSEC Tunnel with Zscalar in R80.40

Jump to solution

Dear Team,

 

My customer is on R80.40 with 5600 HA mode firewalls.

The scenario is below :

1. Lan users connect to Internet after passing through Check Point firewall and then after passing through Check Point the traffic  is IPSEC tunneled with ZScalar cloud proxy

2. Currently customer has 2 ISP Links and configured in Load sharing mode , Unfortunately one of the ISP's is frequently giving less amount of BW than it is supposed to this in turn creating latency issues to customer's internet traffic. Because of this reason customer manually changes the ISP redundancy  percentages i.e gives maximum priority to second ISP

3. But this is in turn creating  another problem i.e IPSEC tunnel with Z scalar gets disconnected and he should manually go to Link selection in Check Point and select the static IP of second interface.

Are we missing anything to make this work automatically with out manual intervention. Kindly help with solution.

 

AMARA RAJA.png

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-11-18 07:02 AM

Jump to solution

Curious, do you have this option checked in the ISP Redundancy settings with respect to VPN?

Screen Shot 2020-11-18 at 6.58.02 AM.png

View solution in original post

PhoneBoy
Admin
Admin
‎2020-11-19 08:32 PM
In response to Man0j

Jump to solution

Looks pretty self-explanatory to me.
If you want to use both interfaces at the same time for VPN, then you probably need to use this feature.
Whether it will work with Zscaler or not is a different question.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-11-18 07:02 AM

Jump to solution

Curious, do you have this option checked in the ISP Redundancy settings with respect to VPN?

Screen Shot 2020-11-18 at 6.58.02 AM.png

Man0j
Contributor
‎2020-11-19 08:09 PM
In response to PhoneBoy

Jump to solution

Hey Hi,

No it's not selected currently.

Sorry for late reply.

 

0 Kudos
Man0j
Contributor
‎2020-11-19 08:17 PM
In response to PhoneBoy

Jump to solution

Hi, Can you please explain importance of this VPN settings option in ISP redundancy.

Also request you to explain the about Route based probing mode in LINK SELECTION if you are aware.

 

 

Preview file
33 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-19 08:20 PM
In response to Man0j

Jump to solution

If you want VPN traffic to follow ISP Redundancy rules, then this setting needs to be enabled.
That should eliminate the need to change the Link Selection on failover.
Believe the route-based probing isn't relevant when using ISP Redundancy.

0 Kudos
Man0j
Contributor
‎2020-11-19 08:27 PM
In response to PhoneBoy

Jump to solution

Hi,

Many thanks for swift reply. Got cleared about VPN settings in ISP redundancy  with your explanation.

However, request you to have look and revert on the attached Image which explains about Route Based Probing option in link selection and it mentions relevancy about ISP redundancy Load sharing mode. 

Preview file
33 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-19 08:32 PM
In response to Man0j

Jump to solution

Looks pretty self-explanatory to me.
If you want to use both interfaces at the same time for VPN, then you probably need to use this feature.
Whether it will work with Zscaler or not is a different question.

0 Kudos
Man0j
Contributor
‎2020-11-19 08:53 PM
In response to PhoneBoy

Jump to solution

Many thanks for the explanation.

0 Kudos