Morning everyone - Happy Hump Day!  😀

Question.

We have an AIO open server running R81.20 at our NJ site.  We recently configured ISP redundancy and it is working as it should.

We have a S2S VPN between our NJ site and our European office.  Their remote peer is also a Check Point.

My colleague in Europe has set up 2 (two) "NJ peer objects" on his side of the tunnel (each one representing one of our ISP circuits) to manage his end of the tunnel.  His management is separate and not part of our environment.   I do not have visibility into his environment.

Our S2S tunnel between NJ and Europe is working fine - but occasionally the tunnel will drop and we will have to delete the tunnel on our end using #vpn tu - option 7 (remote peer).  Then the tunnel will come up again.

He is telling me they are sending out their VPN traffic to our primary circuit IP but they are seeing traffic from our end coming from us via our backup circuit.  This is impossible as our backup circuit is in "backup" mode.  I can verify if I perform a #cpstat fw.

I guess that this may be a "glitch"?  The current backup circuit in NJ was the first and only circuit configured years ago when this gateway was built out.  Our current primary circuit was added late last year. We are using it as primary because it is faster.  So I'm guessing my gateway object in NJ is still associated with the old backup circuit....??  

The isp redundancy script is working fine.  My default route in the Gaia portal matches my primary circuit network.

I'm trying to ensure our S2S traffic between us and our European peer is "synchronous" - meaning while on our "primary " circuit in NJ, traffic is being sent and received on our "primary" circuit and is not getting looped around on our backup circuit first making unnecessary hops.  (Europe => NJ ISP1 = >NJ ISP2 => Europe)

What logs can I look at to view the flow of encrypted traffic?

Thanks guys!