This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mistercinux
Contributor
‎2020-09-09 08:54 AM
Jump to solution

ISP Redundancy not working on R80.30

Hello all,

I had trouble with the isp redundancy on a production environnement, because it didn't switched to the backup link when the main link failed.

In order to troubleshoot this issue, I created the following virtual lab, but I can't make it work as expected.

 
pic1.png

 

The ISP failover is configured as following :

pic2.png

And Access/ThreatPrevention Policy were installed on the cluster.

Now, if I shutdown the link eth0 from the Main Router, like this 

pic3.png

And if I tcpdump icmp traffic on the main router, I can see the icmp response "unreachable" to the gateway which is testing the link as following :

pic4.png

 

However, the default gateway don't change on the active cluster member. Did I missed something ?

-> I can't ping the internet from internal lan

-> I can't ping the internet from the active gateway, and the default gateway do not change automaticaly.

pic5.png

and if I try to make the isplink down it says no isp link :

pic6.png

cpstat fw :

pic7.png

Thank you for reading. 

Best regards,

1 Solution

Accepted Solutions
funkylicious
Advisor
‎2020-09-10 10:38 PM
In response to mistercinux
Jump to solution

Hi,

At this point, it's hard to figure out where the issue is, but I would start to investigate why in the ISP link table you see both ISP's ( routers ) as host not responding.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Then, I would start to tshoot with:

 

Use the fw isp_link command to force the ISP link state to Up or Down. Use this to test installation and deployment, or to force the Security Gateway to recognize the true link state if it cannot (the ISP link is down but the gateway sees it as up).

You can run this command on the Security Gateway or the Security Management Server: fw isp_link [target-gw] <link_name> {up|down}
<link_name> is the name in the ISP Link window.

 

I can also see ISP-1 is on eth3 and ISP-2 on eth5 .If it still doesn't work, as a last resort, I would redo the configuration

View solution in original post

0 Kudos
5 Replies
funkylicious
Advisor
‎2020-09-09 09:57 AM
Jump to solution

Hi,

Well, if you shutdown the interface ( .198 ) which is not directly connected to the firewall cluster, then I guess it's a normal behavior since it's responsive/reachable from the fw in the same subnet.

For situations where you might experience a failure of link, like in this case, if the equipment is a cisco to create a track ip sla and monitor reachability, make decisions based on that to what happens with the traffic.

 

If you disable the interface where the .254 ip is assigned is the behaviour changing ?

Do you also have multiple default static routes on the GW with different priorities ?

Wolfgang
Authority
Authority
‎2020-09-09 10:37 AM
Jump to solution

Which hosts did you monitor for the ISP-links, are these are different hosts for every ISP-link?

Your „ cpstat fw“ shows „a host not responding“ for both links. If no monitored host response this ISP link will be down.

To bring an ISP-link down you have to use the name of your link. In your case you should run „fw isp_link ISP-2 down“ not  „fw isp_link eth3 down“.

regards

Wolfgang

mistercinux
Contributor
‎2020-09-10 08:13 AM
In response to Wolfgang
Jump to solution

Hello all, and thanks for helping.

@funkylicious :

I didn't set multiple static routes in gaia because I configured the default routes in the smartconsole with isp redundancy. Shoud I also add the 2 default routes with clish on both gateways?

If I shutdown the .254 interface on the main router, it do not change anything. 

  • Default route is not changed on the gateway
  • cpstat fw shows the same state.
  • According to the text in the smart console, if one of the ip fails, the link should change to isp2 no ?

pic10.png

@Wolfgang :

I have configured different monitored ip on the 2 isp links

 

@everybody :

In order to debug this, I turned up all interfaces on the routers, and configured 2 routes as following in gaia with clish :

set static-route default nexthop gateway address 203.0.113.254 priority 1 on
set static-route default nexthop gateway address 203.0.114.254 priority 2 on

Here are the tcpdumps en the .254 interfaces on both routers :

pic8.png

The cpstat fw still command output this :

pic9.png

I can't understand why the 2 links are seen down since even with the 2 routers full operationnal, they are showed down in cpstat fw. (tcpdump shows the icmp response from the monitored ip on the gateway)

 

Thank you for your time.

0 Kudos
funkylicious
Advisor
‎2020-09-10 10:38 PM
In response to mistercinux
Jump to solution

Hi,

At this point, it's hard to figure out where the issue is, but I would start to investigate why in the ISP link table you see both ISP's ( routers ) as host not responding.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Then, I would start to tshoot with:

 

Use the fw isp_link command to force the ISP link state to Up or Down. Use this to test installation and deployment, or to force the Security Gateway to recognize the true link state if it cannot (the ISP link is down but the gateway sees it as up).

You can run this command on the Security Gateway or the Security Management Server: fw isp_link [target-gw] <link_name> {up|down}
<link_name> is the name in the ISP Link window.

 

I can also see ISP-1 is on eth3 and ISP-2 on eth5 .If it still doesn't work, as a last resort, I would redo the configuration

0 Kudos
mistercinux
Contributor
‎2020-10-16 08:11 AM
In response to funkylicious
Jump to solution

Hello, and sorry for the late feed back,

In my case, the issue was related to the "perform_cluster_hide_fold" value. (see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Thank you for your help guys!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events