Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andy1977
Explorer
Jump to solution

VPN link selection with multiple ISP on different cluster members

I'm new to Checkpoint gateway and see if someone could help to answer the below questions. Much appreciated.

Site A has a pair of gateways that formed a simple active-standby Cluster. Each gateway member has its own ISP internet connection. Only 1 internal network interface was formed HA. So the Cluster topology will look like this:

LAN1: 192.168.1.1 (Cluster VIP)
LAN2: Sync port
WAN1: 10.10.10.1 (ISP1, External, monitored private, on cluster member 1)
WAN2: 172.10.10.1 (ISP2, External, monitored private, on cluster member 2)

A star VPN community was created with standard settings to a peer firewall gateway, tunnels are permanent.

In peer gateway, an Externally Managed Checkpoint Gateway object was created for Site A and topology was defined properly. Since Site A cluster has two internet connections, in IPSec VPN > Link Selection, I selected use probing link redudancy mode in HA mode. The two IP addresses 10.10.10.1 and 172.10.10.1 are keep ongoing probing. And in Link Selection > Source IP Address Settings, it use default Automatic.

After the setup, VPN tunnels are up and all connections looks fine. But there is always 3-4 PING lost in around every 1,000 PINGS.

Q1: I found there are packet named tunnel_test from peer gateway send to Site A cluster, I believe these are packets for probing. But I didn't see Site A cluster receive any these traffic. Instead, Site A cluster drops a number of UDP 17 packets. May I know what are these UDP 17 packets for?

Q2: In Link Selection > Source IP Address Settings, should I use default Automatic or Manual > IP addresses of chosen interface when the peer cluster has two external IPs but each on different cluster member?

Q3: An Externally Managed Checkpoint Gateway object refers to a gateway or a Host which has Check Point software (Gaia) installed on it. Does this software also include Gaia Embedded? If the peer gateway is SMB, should  I still use Externally Managed Checkpoint Gateway object to define it?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

That sounds way too complicated as @AmirArama indicated. This is how I did it in the lab on Azure and works totally fine.

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

View solution in original post

0 Kudos
4 Replies
AmirArama
Employee
Employee

If you are using HA type cluster. Im not sure why you configured the ISPs like that. And i'm not sure it's supported configuration.

You should configure both ISPs on both members with a VIP.

so you connect ISP1 via switch or router with LAN interfaces to eth0 for example of both members. Configure physical ip and vip. Do the same for ISP2 on eth1 for example.

Configure link selection.

Install the policy.

Andy1977
Explorer

I know building HA on both ISP and use ISP redundancy is a more proper way. This is also the first approach I used but then there are packet loss between the two ISPs. At the end, I changed to each cluster member uses a different ISP and only the internal interface was HA. Running this configuration for two weeks, and so far no issue other than sometimes few PING lost in VPN tunnels. So cluster member using different ISP is not a supported configuration? I will open a support ticket for checking then. Thanks.

0 Kudos
the_rock
Legend
Legend

I am pretty sure its NOT supported, but I could be mistaken, would not be first or last time lol

Anyway, yes, your best bet is to open the support TAC case to verify.

Have a nice weekend.

Best,

Andy

0 Kudos
the_rock
Legend
Legend

That sounds way too complicated as @AmirArama indicated. This is how I did it in the lab on Azure and works totally fine.

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events