Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luke_Abrams
Participant

Site to site vpn, one site required to use backup ISP

Hey just looking to see if what I am doing is best way. We have 4 sites total 3 in the US one in Mexico.

The one site is what I will call our Primary site, all other locations connect back to here for phones, files, etc. Our primary isp works fine for the other 2 US locations connecting.

The Mexico site we have to use the backup ISP from our Primary site or the speed in one direction is slow. We have narrowed it down to a carrier that is off of primary ISP's network. (So no one wants to address this dropped packets issue). So when we use the backup ISP everything works fine in both directions. 

We are using static routes on the primary sites cluster members with Destination of Mexico cluster and gateway of primary site backup ISP gateway. 

It has been this way for a couple of years now and I was going to remove these routes to test and see if the issue was ever resolved and thought I would check in here and see if this is the best method or something else I should be looking at. 

0 Kudos
3 Replies
Duane_Toler
Advisor

Sounds good.  I presume these are all centrally-managed by the same Check Point management server/domain?  If so, and VPNs are involved, that means everything is certificate-based so you don't have to worry about IKE IDs.

Just make sure routes on the remote end are as you'd expect for the return traffic.

I can't think of anything special beyond what you've already listed.  You already know that you can re-add the static routes to revert the traffic, so there's your "backout" plan.  As for a minor "implementation" detail, I'd probably do the route change on the standby cluster member first then the active cluster member.  This is just to avoid any possible ClusterXL PNOTE for ROUTED. I doubt you'll have that anyway, but... might as well avoid the outsized possibility, however remote.

Good luck!

0 Kudos
Luke_Abrams
Participant

Yes you are correct it is all centrally managed. I believe the tunnel must be established from the primary site as there are not any static routes configured on the remote site. Remote site is 1600's while primary is a pair of 5100's so there is a little difference in options. 

0 Kudos
Duane_Toler
Advisor

Sounds like all your changes are going to be done on the cluster nodes, which is what you were expecting.  Go for it!  Let us know how it turns out.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events