- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Azure VPN site2site redundancy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure VPN site2site redundancy
Hello,
I have topology from our client to the azure like attached picture.
Two checkpoint run as standalone and i make CP-1 as main VPN site2site to azure and below the details :
- Traffic from lan (10.103.248.xxx) to azure (10.201.xxx.xxx) by will be routed to CP1 by Core-1 and Core-2
- VPN Site2site already establish/connected between azure and CP-1
- Local Network Gateway on LNG-1 contain subnet 10.103.248.xxx and LNG-2 contain random subnet (i fill 192.168.1.xxx) this need for asymmetric routing between azure and LAN
When we have internet connection problem on CP-1 so i do :
- Change routing from LAN to Azure via CP2 by by Core-1 and Core-2
- VPN Site2site already establish/connected between azure and CP-2
- Change LNG-1 from subnet 10.103.248.xxx to 192.168.1.xxx and LNG-2 changed from 192.168.1.xxx to 10.103.248.xxx
With above condition we can failover traffic to azure manually, and with this thread i want to know anyone expert here have same scenario with me and can make the failover automatically?
My goal is to make CP1 as Main VPN and will be failover to CP2 if CP1 have internet connection problem and fall back to CP1 again if the internet connection on CP1 back to online.
On Core switch side i can make IP SLA to check connection to azure via CP1 is down or not and make an script to re-route to CP2 if the connection is down, but i'm not sure what should i do on checkpoint and azure side.
I already tested if LNG1 and LNG2 contains subnet 10.103.248.xxx so the traffic is intermittent while on the on prem the traffic to azure should use CP1 because the traffic is not asymmetric.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered using Route-based VPNs (VTI) with BGP / dynamic routing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have any article reference?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whilst sk176249 is for vWAN there is some commonality in the configuration.
I recall a guide was also previously posted here by a community member but for an older version: