This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luke_Abrams
Participant
‎2024-06-05 10:54 AM

Site to site vpn, one site required to use backup ISP

Hey just looking to see if what I am doing is best way. We have 4 sites total 3 in the US one in Mexico.

The one site is what I will call our Primary site, all other locations connect back to here for phones, files, etc. Our primary isp works fine for the other 2 US locations connecting.

The Mexico site we have to use the backup ISP from our Primary site or the speed in one direction is slow. We have narrowed it down to a carrier that is off of primary ISP's network. (So no one wants to address this dropped packets issue). So when we use the backup ISP everything works fine in both directions. 

We are using static routes on the primary sites cluster members with Destination of Mexico cluster and gateway of primary site backup ISP gateway. 

It has been this way for a couple of years now and I was going to remove these routes to test and see if the issue was ever resolved and thought I would check in here and see if this is the best method or something else I should be looking at. 

Labels
0 Kudos
3 Replies
Duane_Toler
Advisor
‎2024-06-05 11:48 AM

Sounds good.  I presume these are all centrally-managed by the same Check Point management server/domain?  If so, and VPNs are involved, that means everything is certificate-based so you don't have to worry about IKE IDs.

Just make sure routes on the remote end are as you'd expect for the return traffic.

I can't think of anything special beyond what you've already listed.  You already know that you can re-add the static routes to revert the traffic, so there's your "backout" plan.  As for a minor "implementation" detail, I'd probably do the route change on the standby cluster member first then the active cluster member.  This is just to avoid any possible ClusterXL PNOTE for ROUTED. I doubt you'll have that anyway, but... might as well avoid the outsized possibility, however remote.

Good luck!

0 Kudos
Luke_Abrams
Participant
‎2024-06-05 12:26 PM
In response to Duane_Toler

Yes you are correct it is all centrally managed. I believe the tunnel must be established from the primary site as there are not any static routes configured on the remote site. Remote site is 1600's while primary is a pair of 5100's so there is a little difference in options. 

0 Kudos
Duane_Toler
Advisor
‎2024-06-05 12:28 PM
In response to Luke_Abrams

Sounds like all your changes are going to be done on the cluster nodes, which is what you were expecting.  Go for it!  Let us know how it turns out.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events