This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonio_M
Participant
‎2019-02-23 01:31 AM

Multi-ISP + NAT not working after migration from R77.30 to R80.10

Hello community, 

After replacing the current 4200 gateways running 77.30 by a new ones 5200 running R88.10, the multi-isp set up no longer works. The gateways, running a Cluster XL cluster are connected to two different ISPs and perform NAT depending on the target ISP. We copied all the GAIA configurations from the old gateways to the new ones and the cpisp_update script. No IP or route changes, pure gateway replacement without config changes.

To support this NAT, we added the following dynamic objects:

dynamic_objects -n DYN_ISP_Vodafone

dynamic_objects -n DYN_ISP_Colt

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

We confirmed the objects exist running the command dyn_objects -l

These dynamic objects are used in two different NAT rules for hiding the traffic as follows:

NAT Rule Vodafone:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Vodafone”

Traslated Source: “Vodafone-Public-IP”

Traslated Destination: “Original”

NAT Rule Colt:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Colt”

Traslated Source: “Vodafone-Colt-IP”

Traslated Destination: “Original”

To dynamically adjust the NAT according to the active ISP, we modified the cpisp_update script by adding the following commands at the end of the file:

# Verify which link is up with this command: tail -f /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state

echo "RESTARTING SCRIPT" >> /tmp/cpisp_state

echo "LINK1" >> /tmp/cpisp_state

echo $LINK1_STATE >> /tmp/cpisp_state

echo "LINK2" >> /tmp/cpisp_state

echo $LINK2_STATE >> /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo " " >> /tmp/cpisp_state

# Check if the Link is up or down

if ($LINK2_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

endif

if ($LINK1_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

endif

# if both Links are up, return to Load Sharing

if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

endif

We can confirm it is a NAT issue because if we replace the above NAT rules by other using “any” instead of the dynamic object as the “Original Destination” it works, but not for the secondary ISP.

Current setup: 2 x 4200 gateways running R77.30 -> Multi-ISP Working

New setup: 2 x 5200 gateways running R80.10 Jumbo hotfix take169 -> Multi-ISP not working.

Regards.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-02-23 03:31 AM

What does the dynamic_objects -l command say on both sets of gateways?

0 Kudos
Antonio_M
Participant
‎2019-02-23 03:35 AM
In response to PhoneBoy

They showed 0.0.0.0 0.0.0.0. It looks like the script is not correctly

updating the objects. I triggered the script manually by disabling one of

the ISP. That script is working in the current gateways. Any changes on

R80.10?

On Sat, 23 Feb 2019, 12:31 Dameon Welch-Abernathy, <

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-23 03:42 AM
In response to Antonio_M

Not aware of any changes here.

It might be worth a TAC case.

How To Open a Case with TAC and/or Account Services

0 Kudos
Antonio_M
Participant
‎2019-02-27 11:45 PM
In response to PhoneBoy

We managed to get the dynamic_objects working and now outgoing traffic is working, however incoming traffic for static NATs using the secondary ISP no longer works. This was working prior to the upgrade.  Any ideas?

dynamic_objects -l looks like this:

object name : DYN_ISP_Vodafone

range 0 : 0.0.0.0                255.255.255.255

object name : DYN_ISP_Colt

range 0 : 0.0.0.0                255.255.255.255

Regards.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-28 02:08 PM
In response to Antonio_M

Did you open a TAC case as I previously suggested?

0 Kudos
Antonio_M
Participant
‎2019-03-01 12:12 AM
In response to PhoneBoy

Yes, I have an opened case but in parallel wanted to get more options while

the support team finds what's going on.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events