Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Man0j
Participant

ISP Redundancy + IPSEC Tunnel with Zscalar in R80.40

Jump to solution

Dear Team,

 

My customer is on R80.40 with 5600 HA mode firewalls.

The scenario is below :

1. Lan users connect to Internet after passing through Check Point firewall and then after passing through Check Point the traffic  is IPSEC tunneled with ZScalar cloud proxy

2. Currently customer has 2 ISP Links and configured in Load sharing mode , Unfortunately one of the ISP's is frequently giving less amount of BW than it is supposed to this in turn creating latency issues to customer's internet traffic. Because of this reason customer manually changes the ISP redundancy  percentages i.e gives maximum priority to second ISP

3. But this is in turn creating  another problem i.e IPSEC tunnel with Z scalar gets disconnected and he should manually go to Link selection in Check Point and select the static IP of second interface.

Are we missing anything to make this work automatically with out manual intervention. Kindly help with solution.

 

AMARA RAJA.png

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

Curious, do you have this option checked in the ISP Redundancy settings with respect to VPN?

Screen Shot 2020-11-18 at 6.58.02 AM.png

View solution in original post

PhoneBoy
Admin
Admin

Looks pretty self-explanatory to me.
If you want to use both interfaces at the same time for VPN, then you probably need to use this feature.
Whether it will work with Zscaler or not is a different question.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Curious, do you have this option checked in the ISP Redundancy settings with respect to VPN?

Screen Shot 2020-11-18 at 6.58.02 AM.png

View solution in original post

Man0j
Participant

Hey Hi,

No it's not selected currently.

Sorry for late reply.

 

0 Kudos
Man0j
Participant

Hi, Can you please explain importance of this VPN settings option in ISP redundancy.

Also request you to explain the about Route based probing mode in LINK SELECTION if you are aware.

 

 

0 Kudos
PhoneBoy
Admin
Admin

If you want VPN traffic to follow ISP Redundancy rules, then this setting needs to be enabled.
That should eliminate the need to change the Link Selection on failover.
Believe the route-based probing isn't relevant when using ISP Redundancy.

0 Kudos
Man0j
Participant

Hi,

Many thanks for swift reply. Got cleared about VPN settings in ISP redundancy  with your explanation.

However, request you to have look and revert on the attached Image which explains about Route Based Probing option in link selection and it mentions relevancy about ISP redundancy Load sharing mode. 

0 Kudos
PhoneBoy
Admin
Admin

Looks pretty self-explanatory to me.
If you want to use both interfaces at the same time for VPN, then you probably need to use this feature.
Whether it will work with Zscaler or not is a different question.

View solution in original post

0 Kudos
Man0j
Participant

Many thanks for the explanation.

0 Kudos