Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ave_Joe
Contributor
Jump to solution

MEP, path fail-over through center

Background:  I have a hub and spoke VPN community with the center gateways meshed.  The community is configured to allow traffic to the center and to other satellites through the center.  MEP is enabled and the entry point selection mechanism is set to Select the closet gateway to the source (first to respond) Route injection is enabled.  All tests show that satellites start routing traffic through another center should one of the center gateways be no longer available.  All good.

Unfortunately it's not real clear how traffic fails back if the original path becomes available again.  For example,  center gateways are C1, C2, and C3.  A satellite is S1  Pings times from S1 to C1, C2, C3 are all different as noted below.

Path

Site

ping times

A

S1 to C1

30ms
BS1 to C2100ms
CS1 to C3250ms

 

In this scenario, let's say Path A fails.  Traffic fails to Path B.  When Path A comes back online my expectation is that traffic will start using this path again because it offers better performance.  In my working setup this does not seem to be the case.  Is this a setting that has been missed or is this how MEP has been designed?

To make matters worse let's say Path A and Path B fail and now Path C is chosen  Path A and Path B come back but traffic is still using Path C.  User applications are stuck with 8 times worse performance for their applications.  Not ideal.

If the Paths do not auto-fail back to the faster link, is there a way to manually fail the traffic back to the least latent link without bringing the VPN tunnels down?

0 Kudos
1 Solution

Accepted Solutions
Ave_Joe
Contributor

As an FYI.  I opened a TAC case on this inquiry.

The answer is that every time Phase 1 IKE's are renegotiated the MEP decision is re-evaluated and updated accordingly.

I am working on getting this validated in my environment.

 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I don't think we fail back to a specific path unless you're doing active/passive.
More info here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Ave_Joe
Contributor

As an FYI.  I opened a TAC case on this inquiry.

The answer is that every time Phase 1 IKE's are renegotiated the MEP decision is re-evaluated and updated accordingly.

I am working on getting this validated in my environment.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events