This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2024-02-02 12:47 PM
Jump to solution

ISP redundancy link health status

Hey guys,

Hope someone can clarify this for me. Are there any commands to run on CP side that would show actual health of the ISP link? Client has ISPR configured, but they had been having issues lately when random users not being able to RDP or losing pings to some internal servers when connected to primary link, but if they connect to 2nd isp link, all works fine.

TAC provided cpstat fw and sv monitor options to check this, but thats not helpful here at all, it simply shows whether links are up or down.

Any other commands we could utilize to check say status of the link in the last 30 days?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2024-02-05 07:33 AM
In response to Lesley
Jump to solution

Hey,

Just had remote with Tier3 guy from DTAC and he said command I gave fw -d isp_link to debug is the best, but otherwise, they dont sadly have a general IPS link health check commands. He advised to troubleshoot this when issue when someone is havinng the problem when connected to primary ISP link, so Im totally okay with that.

Best,

Anyd

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
14 Replies
Lesley
MVP Gold
MVP Gold
‎2024-02-02 01:19 PM
Jump to solution

Does the link flip-over? How does ISPR check if the link is healhty, does it ping only the default gateway?

If you only ping the DG it is not a proper health check, I always recommended to check the health of the IP after the DG. This will show in a traceroute 

But on CLI it is indeed cpstat fw, to see if it is active/backup or down. Same output I think you can see in cpview. 

If you want history if link failures they always have been logged in smartlog if you search for 'alerts'

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-02 01:22 PM
In response to Lesley
Jump to solution

There is never a failover, no. Ping to DG is fine, no issues there. I will check for alerts.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-02-02 01:42 PM
In response to the_rock
Jump to solution

Ping to DG is a not a solid way to test an internet connection. Best would be to monitor extra hop (maybe DNS from ISP?) or second IP in traceroute. Make sure to make static route for this next hop ip to force it via the correct ISP link. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-02 02:24 PM
In response to Lesley
Jump to solution

Trust me, there are no issues with DG or the link, Im 100% positive. Let me see what TAC guy gives Monday during remote.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-02-02 02:32 PM
In response to the_rock
Jump to solution

So from check point point of view what is the issue? If you think link is OK but users complain maybe the link is just full? Maybe check cpview history if the link is full up or down. Check peak and compare what the isp gives for speed 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-02 02:34 PM
In response to Lesley
Jump to solution

Thats what we are trying to find out IF it is indeed CP issue lol

Thats why I asked if there are good commands to run that would show the health historically. I looked through cpview, but cant find good option, unless I missed it.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-02-02 02:50 PM
In response to the_rock
Jump to solution

The network part where you can see the interfaces and the mbps tx and rx. Check historical if you see full isp link. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-02 02:51 PM
In response to Lesley
Jump to solution

K, thank you...will check Monday.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-04 11:15 AM
In response to Lesley
Jump to solution

Just had a quick look on customer's master fw and I dont see anything there related to ISP links. I do see stats for eth1, which represents, if you will, their primary ISP link, but no obvious issues that I can tell. Anyway, let me see what TAC guy says tomorrow.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-05 07:33 AM
In response to Lesley
Jump to solution

Hey,

Just had remote with Tier3 guy from DTAC and he said command I gave fw -d isp_link to debug is the best, but otherwise, they dont sadly have a general IPS link health check commands. He advised to troubleshoot this when issue when someone is havinng the problem when connected to primary ISP link, so Im totally okay with that.

Best,

Anyd

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Guido_Marx
Explorer
‎2024-02-13 11:00 PM
In response to the_rock
Jump to solution

Hi,

did you get any results, or have you found a procedure to track down the ISP redundancy issue?

We have two ISP links and when the primary link is active, it's showing the same behavior you're reporting, but only for FTP traffic and ICMP. The provider is promising that the line is okay. Swapping to the secondary, everything is fine.

The people on site are questioning the 6400, because another site in the same city and the same provider using a 6600 do not have problems at all.

Rgds from Germany
--Guido

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-14 04:17 AM
In response to Guido_Marx
Jump to solution

Hey mate,

Not really, sorry : - (. TAC guy said you can go to cpview, software-blades, then vpn, and if you scroll down, then you see link failures option,but again, that ONLY shows you if link ever failed, NOT the actual health.

Little disappointing there is no better way, but hey, as that cheesy saying goes, it is what it is haha. Maybe this becomes available in R82, no clue.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AmirArama
Employee
Employee
‎2024-02-14 05:12 AM
Jump to solution

consider replace ISPR with our Quantum SD-WAN.

with Quantum SD-WAN you will have clear visibility on the probing for each link with full sla results in real time and history, per steering / rule  (traffic), clear events on link swaps, and much more functionality & granularity.

0 Kudos
(1)
the_rock
MVP Diamond
MVP Diamond
‎2024-02-14 05:45 AM
In response to AmirArama
Jump to solution

I get what you are saying, but thats sadly not an option at the moment.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events