This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Contributor
Contributor
‎2023-07-12 01:59 AM

vpn tunnels doesnt survive hard failover on isp redundancy

 

i have a somewhat weird issue with isp redundancy.

 

The setup is correct, and it is working just fine if i do a manual failover in cli (fw isp_link isp1 down/up).

The script runs, the default gateway is changed, and everything is working.

But if there is an issue with the physical link(we tested with unplugging the cable), i observe a strange behaviour.

 

The script is still working just fine, default gateway is changed, and almost everything is working, except for vpn tunnels.

This is the internal mesh for the customer, so there are Checkpoints on both sides.

What i see, is that the gateway that has changed isp due to hard failover, sends ike packets to the other mesh member on the new and correct ip address, but the other member sends the reply packet back to the primary isp ip address, which has an unplugged cable.

Tried resetting the vpn tunnels on both sides, but no matter what i tried, the result was the same. The customer currently has to sites now with the same issue, and im running out of ideas for troubleshooting.

Has anyone come across something similar before, and if so, what was the solution/workaround?

 

the environment is r81.10 t95

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-07-13 03:09 PM

Recommend engaging with the TAC here: https://help.checkpoint.com 

KM1895
Contributor
Contributor
‎2023-07-13 10:54 PM
In response to PhoneBoy

yeah, ended up opening a tac case yesterday.

 

 

0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2023-10-03 04:16 AM
In response to KM1895

was there a solution provided ?

0 Kudos
starmen2000
Collaborator
Collaborator
‎2023-11-08 02:56 PM
In response to KM1895

@KM1895  did you find the solution? I have also similar issue.

0 Kudos
KM1895
Contributor
Contributor
‎2023-11-14 12:16 AM
In response to starmen2000

hi,

 

I think this case is still being investigated, together with tac

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events