VPN + ISP Links

[EBnycLuis]

Hey guys, new to the forum. Gotta say, i love the CP fw =)
Well My boss has me setting up the fw for isp fail over.

ex:

Internet ---------->10.10.1.1(rt)---> 10.10.1.2(fw)->office
Internet -----------|DSL Backup(rt)12.12.1.1----|12.12.1.2


Now, i have set it up for Primary/Backup, so when the t1 which is the 10.10.1.X link goes down, the DSL Backup takes over. NOW, heres the problem. since it knows the next hop from 10.10.1.2 is 10.10.1.1, if i disconnect the wire that goes from the rt to the fw, it knows and switchs over to the the dsl backup just fine. BUT if i disconnect the wire that goes from the internet to the rt, it doesnt detect!

1) is the detection of the failover before the wire coming out of the router
2) vpn to work as well with the dsl backup on failover?
3) i am trying to figure out how to setup the box for only 1 or maybe in the future more, dns address for our internal email servers for external access.

any help would be greatly apprciated! (sp)

-Luis

[MarioL]

You should use a host further up than the router for the checks.

I usually just do a traceroute and use the 2nd ISPs router (the one on the other side of the line) if it allows ping. Failing that some of their DNS servers, since those should allow ping.

[EBnycLuis]

I tried that, and the link didnt come up. most likely b/c the link didnt allow pings. =\. ok i will try the next hop over for this. but, question... i can put this in the "next hop ip address" for the main line? so ex:10.10.1.1 is the "gw" to the fw (10.10.1.2) will it work if i put the IP address i want to monitor outside of the router? ex.. 188.123.123.1 which would be the next router down the line outside the building? or will it not work?

[MarioL]

It seems I wasn't that clear, let me explain this a bit better.

When you Edit the "ISP Link", the next hop has to be the gateway, but then you have the "Advanced" tab, where you can add "Monitored hosts".

So leave your config as is, but do the traceroutes to get the next hops after your edge routers for both ISPs, or some DNS servers or something "fairly close that accepts ICMP".

Create these hosts objects with their IP addresses and then add them in the Advanced tab.

Hope that helps.

[EBnycLuis]

ill try that now

[EBnycLuis]

How about the vpn part?

[MarioL]

Considering the IPs you are using on the external interfaces I foresee a VPN nightmare... you should always use valid public IPs (assigned to you) on the external NICs.

I haven't been using FW-1 properly for some time now, so I never tried the new cool VPN features, so I can't help there, sorry.

[EBnycLuis]

Well it worked like magic the host detection. i just hope that host never fails! =)

the vpn part is still not working thou, seems where i go to renew the certificate for the vpn connection, i put the ip of our backup line and still no vpn connection once the lines failed over.

they are public ips. the ips i provided are just examples ;)

[Izzio]

...if with "vpn" you mean a vpn site2site tunnel with another CP FW then you need to set up the link selection feature.

Which version are you using?

[EBnycLuis]

Hey guys, after getting the techs on this we solved it along time ago but i havnt been able to find this site =)

the problem was with allowing a policy for RDP on the vpn allowed. we noticed it would work for a few seconds but then it was blocked. so we knew it was a policy issue somewhere, just didnt know where.