Mutliple External Interfaces

[Fabsta]

Peoples - I am having a little problem at the moment. I am currently migrating ISPs and have configured a 2nd external interface on my Checkpoint NGX x45 Crossbeam appliance. It is a clustered interface of which all the rest work perfectly. The problems lies in connecitivty - I can add the intereface perfectly, but then I can connect to it Ok for about 8 or so hrs, and then I cant even get an arp reponse back from it even from the next hop.

The arp table just gives me INCOMPLETE on the router (next hop). Its almost like it doesnt see it at all - I can however ping it from with internal segments, but coming from external, it just doesnt seem to exist. Its like its put the Interface into a type of promiscuos mode for all traffic originating externally.

I have only a 500 node license, and was wondering if I'm allowed 2 external interfaces. Any information would greatly be appreciated. Also any secure client sitre created after I added the 2nd external interface doesnt seem to work at all - I have to delete the 2nd interface and the site can then be connected etc. Secure client issue aside, I really just wanted to know if I can have multiple external interfaces defined - and if so why it deosnt seem to work properly

Kind Regards,
Fab

[theoracle]

Checkpoint allows multiple external interfaces defined, however your problem may be caused by an ip spoofing issue. After adding the second interface you will need to "disable" ip spoofing detection for this interface in the topology section of the management gui.

theoracle

[jsalas]

Hi,


We have a simmilar problem,

we have 2 Links and we want the first one to send all traffic but VPN Traffic
(this traffic would be sent through the second link).

we are using two default gateways,

the first with a metric of 0
the second with a metric of 100

using Link Selection from checkpoint:

IP Selection by remote peer
Using Ongoing Probing:

Link 1
Link 2

Primary Link 2 ( The VPN preferred link)

Outgoing Route Selection
When Initiating a tunnel: Route based Probing
When responding to a remotely initiated tunnel


so... with the Site 2 site works fine... but with SecureRemote/SEcureClient fails when we try to update topology... because is sending it by the Link 2, with the highest metric of default gateway.

the Site is created pointing to the Link 1 IP, we connect and works fine... but when we make an Update, fails.


Any idea on how to download the topology... or how to make the correct configuration for link selection...??

[melipla]

Quote:

Originally Posted by jsalas

or how to make the correct configuration for link selection...??

I don't have answer to your question, but this post may be what you're looking for. It doesn't mention SecureClient per se, but is for link seleciton w/interfaces.
Encrypting From Wrong Interface

Let me know how it progresses!